WinDivert Driver Load

calendar Nov 25, 2024 · attack.collection attack.defense-evasion attack.t1599.001 attack.t1557.001  ·
Share on: linkedin copy

Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows

Sigma rule (View on GitHub)

 1title: WinDivert Driver Load
 2id: 679085d5-f427-4484-9f58-1dc30a7c426d
 3status: test
 4description: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows
 5references:
 6    - https://reqrypt.org/windivert-doc.html
 7    - https://rastamouse.me/ntlm-relaying-via-cobalt-strike/
 8author: Florian Roth (Nextron Systems)
 9date: 2021-07-30
10modified: 2024-11-23
11tags:
12    - attack.collection
13    - attack.defense-evasion
14    - attack.t1599.001
15    - attack.t1557.001
16logsource:
17    category: driver_load
18    product: windows
19detection:
20    selection:
21        - ImageLoaded|contains:
22              - '\WinDivert.sys'
23              - '\WinDivert64.sys'
24              # Other used names
25              - '\NordDivert.sys'
26              - '\lingtiwfp.sys'
27              - '\eswfp.sys'
28        - Hashes|contains:
29              - 'IMPHASH=0604bb7cb4bb851e2168d5c7d9399087'
30              - 'IMPHASH=2e5f0e649d97f32b03c09e4686d0574f'
31              - 'IMPHASH=52f8aa269f69f0edad9e8fcdaedce276'
32              - 'IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76'
33              - 'IMPHASH=58623490691babe8330adc81cd04a663'
34              - 'IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b'
35              - 'IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96'
36              - 'IMPHASH=a1b2e245acd47e4a348e1a552a02859a'
37              - 'IMPHASH=2a5f85fe4609461c6339637594fa9b0a'
38              - 'IMPHASH=6b2c6f95233c2914d1d488ee27531acc'
39              - 'IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342'
40              - 'IMPHASH=d8a719865c448b1bd2ec241e46ac1c88'
41              - 'IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38'
42              - 'IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6'
43              - 'IMPHASH=a74929edfc3289895e3f2885278947ae'
44              - 'IMPHASH=a66b476c2d06c370f0a53b5537f2f11e'
45              - 'IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4'
46              - 'IMPHASH=c28cd6ccd83179e79dac132a553693d9'
47    condition: selection
48falsepositives:
49    - Legitimate WinDivert driver usage
50level: high

References

  • WinDivert 2.2 Documentation

    WinDivert 2.2: Windows Packet Divert Table of Contents 1. Introduction WinDivert is a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows 10, Windows 11, and ...


    Read More

  • NTLM Relaying via Cobalt Strike

    NTLM relaying is a popular attack strategy during a penetration test and is really trivial to perform. Just roll up at the client site, plug your laptop into the LAN, fire up responder and ntlmrelayx, and away you go. The majority of opportunistic relays come when a user or a


    Read More

Related rules

to-top