Tap Driver Installation
Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
Sigma rule (View on GitHub)
1title: Tap Driver Installation
2id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
3status: test
4description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
5references:
6 - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
7author: Daniil Yugoslavskiy, Ian Davis, oscd.community
8date: 2019/10/24
9modified: 2022/12/25
10tags:
11 - attack.exfiltration
12 - attack.t1048
13logsource:
14 product: windows
15 service: system
16detection:
17 selection:
18 Provider_Name: 'Service Control Manager'
19 EventID: 7045
20 ImagePath|contains: 'tap0901'
21 condition: selection
22falsepositives:
23 - Legitimate OpenVPN TAP installation
24level: medium
References
Related rules
- Tap Driver Installation - Security
- Tap Installer Execution
- Suspicious Redirection to Local Admin Share
- Copy From Or To Admin Share Or Sysvol Folder
- Powershell DNSExfiltration