WinDivert Driver Load

calendar Oct 23, 2025 · attack.credential-access attack.collection attack.defense-evasion attack.t1599.001 attack.t1557.001  ·
Share on: linkedin copy

Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows

Sigma rule (View on GitHub)

 1title: WinDivert Driver Load
 2id: 679085d5-f427-4484-9f58-1dc30a7c426d
 3status: test
 4description: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows
 5references:
 6    - https://reqrypt.org/windivert-doc.html
 7    - https://rastamouse.me/ntlm-relaying-via-cobalt-strike/
 8author: Florian Roth (Nextron Systems)
 9date: 2021-07-30
10modified: 2024-11-23
11tags:
12    - attack.credential-access
13    - attack.collection
14    - attack.defense-evasion
15    - attack.t1599.001
16    - attack.t1557.001
17logsource:
18    category: driver_load
19    product: windows
20detection:
21    selection:
22        - ImageLoaded|contains:
23              - '\WinDivert.sys'
24              - '\WinDivert64.sys'
25              # Other used names
26              - '\NordDivert.sys'
27              - '\lingtiwfp.sys'
28              - '\eswfp.sys'
29        - Hashes|contains:
30              - 'IMPHASH=0604bb7cb4bb851e2168d5c7d9399087'
31              - 'IMPHASH=2e5f0e649d97f32b03c09e4686d0574f'
32              - 'IMPHASH=52f8aa269f69f0edad9e8fcdaedce276'
33              - 'IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76'
34              - 'IMPHASH=58623490691babe8330adc81cd04a663'
35              - 'IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b'
36              - 'IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96'
37              - 'IMPHASH=a1b2e245acd47e4a348e1a552a02859a'
38              - 'IMPHASH=2a5f85fe4609461c6339637594fa9b0a'
39              - 'IMPHASH=6b2c6f95233c2914d1d488ee27531acc'
40              - 'IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342'
41              - 'IMPHASH=d8a719865c448b1bd2ec241e46ac1c88'
42              - 'IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38'
43              - 'IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6'
44              - 'IMPHASH=a74929edfc3289895e3f2885278947ae'
45              - 'IMPHASH=a66b476c2d06c370f0a53b5537f2f11e'
46              - 'IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4'
47              - 'IMPHASH=c28cd6ccd83179e79dac132a553693d9'
48    condition: selection
49falsepositives:
50    - Legitimate WinDivert driver usage
51level: high

References

Related rules

to-top