WinDivert Driver Load

calendar Aug 12, 2024 · attack.collection attack.defense-evasion attack.t1599.001 attack.t1557.001  ·
Share on: linkedin copy

Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows

Sigma rule (View on GitHub)

 1title: WinDivert Driver Load
 2id: 679085d5-f427-4484-9f58-1dc30a7c426d
 3status: test
 4description: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows
 5references:
 6    - https://reqrypt.org/windivert-doc.html
 7    - https://rastamouse.me/ntlm-relaying-via-cobalt-strike/
 8author: Florian Roth (Nextron Systems)
 9date: 2021-07-30
10modified: 2022-11-19
11tags:
12    - attack.collection
13    - attack.defense-evasion
14    - attack.t1599.001
15    - attack.t1557.001
16logsource:
17    category: driver_load
18    product: windows
19detection:
20    selection:
21        ImageLoaded|contains:
22            - '\WinDivert.sys'
23            - '\WinDivert64.sys'
24            # Other used names
25            - '\NordDivert.sys'
26            - '\lingtiwfp.sys'
27            - '\eswfp.sys'
28    selection_sysmon:
29        Hashes|contains:
30            - 'IMPHASH=0604bb7cb4bb851e2168d5c7d9399087'
31            - 'IMPHASH=2e5f0e649d97f32b03c09e4686d0574f'
32            - 'IMPHASH=52f8aa269f69f0edad9e8fcdaedce276'
33            - 'IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76'
34            - 'IMPHASH=58623490691babe8330adc81cd04a663'
35            - 'IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b'
36            - 'IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96'
37            - 'IMPHASH=a1b2e245acd47e4a348e1a552a02859a'
38            - 'IMPHASH=2a5f85fe4609461c6339637594fa9b0a'
39            - 'IMPHASH=6b2c6f95233c2914d1d488ee27531acc'
40            - 'IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342'
41            - 'IMPHASH=d8a719865c448b1bd2ec241e46ac1c88'
42            - 'IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38'
43            - 'IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6'
44            - 'IMPHASH=a74929edfc3289895e3f2885278947ae'
45            - 'IMPHASH=a66b476c2d06c370f0a53b5537f2f11e'
46            - 'IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4'
47            - 'IMPHASH=c28cd6ccd83179e79dac132a553693d9'
48    selection_hashes:
49        Imphash:
50            - '0604bb7cb4bb851e2168d5c7d9399087'
51            - '2e5f0e649d97f32b03c09e4686d0574f'
52            - '52f8aa269f69f0edad9e8fcdaedce276'
53            - 'c0e5d314da39dbf65a2dbff409cc2c76'
54            - '58623490691babe8330adc81cd04a663'
55            - '8ee39b48656e4d6b8459d7ba7da7438b'
56            - '45ee545ae77e8d43fc70ede9efcd4c96'
57            - 'a1b2e245acd47e4a348e1a552a02859a'
58            - '2a5f85fe4609461c6339637594fa9b0a'
59            - '6b2c6f95233c2914d1d488ee27531acc'
60            - '9f2fdd3f9ab922bbb0560a7df46f4342'
61            - 'd8a719865c448b1bd2ec241e46ac1c88'
62            - '0ea54f8c9af4a2fe8367fa457f48ed38'
63            - '9d519ae0a0864d6d6ae3f8b6c9c70af6'
64            - 'a74929edfc3289895e3f2885278947ae'
65            - 'a66b476c2d06c370f0a53b5537f2f11e'
66            - 'bdcd836a46bc2415773f6b5ea77a46e4'
67            - 'c28cd6ccd83179e79dac132a553693d9'
68    condition: 1 of selection*
69falsepositives:
70    - Legitimate WinDivert driver usage
71level: high

References

Related rules

to-top