Tap Installer Execution
Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
Sigma rule (View on GitHub)
1title: Tap Installer Execution
2id: 99793437-3e16-439b-be0f-078782cf953d
3status: test
4description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
5references:
6 - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
7author: Daniil Yugoslavskiy, Ian Davis, oscd.community
8date: 2019-10-24
9modified: 2023-12-11
10tags:
11 - attack.exfiltration
12 - attack.t1048
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\tapinstall.exe'
19 filter_optional_avast:
20 Image|contains:
21 - ':\Program Files\Avast Software\SecureLine VPN\'
22 - ':\Program Files (x86)\Avast Software\SecureLine VPN\'
23 filter_optional_openvpn:
24 Image|contains: ':\Program Files\OpenVPN Connect\drivers\tap\'
25 filter_optional_protonvpn:
26 Image|contains: ':\Program Files (x86)\Proton Technologies\ProtonVPNTap\installer\'
27 condition: selection and not 1 of filter_optional_*
28falsepositives:
29 - Legitimate OpenVPN TAP installation
30level: medium
References
Related rules
- Copy From Or To Admin Share Or Sysvol Folder
- DNS TOR Proxies
- Powershell DNSExfiltration
- Suspicious Redirection to Local Admin Share
- Tap Driver Installation