rules/windows/process_creation/win_tap_installer_execution.yml

title: Tap Installer Execution
id: 99793437-3e16-439b-be0f-078782cf953d
description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
status: experimental
author: Daniil Yugoslavskiy, Ian Davis, oscd.community
date: 2019/10/24
tags:
    - attack.exfiltration
    - attack.t1048
logsource:
     category: process_creation
     product: windows
detection:
    selection:
        Image|endswith: '\tapinstall.exe'
    condition: selection
falsepositives:
    - Legitimate OpenVPN TAP insntallation
level: medium
Rule fixes 2020-02-20 23:00:16 +01:00			`title: Tap Installer Execution`
UUIDs + moved unsupported logic 2019-12-19 23:56:36 +01:00			`id: 99793437-3e16-439b-be0f-078782cf953d`
OSCD QA wave 3 2020-01-19 22:34:16 +01:00			`description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques`
add tieto dns exfiltration rules 2019-10-25 04:30:55 +02:00			`status: experimental`
update authors for 2 rules 2019-12-07 02:10:06 +01:00			`author: Daniil Yugoslavskiy, Ian Davis, oscd.community`
add tieto dns exfiltration rules 2019-10-25 04:30:55 +02:00			`date: 2019/10/24`
			`tags:`
			`- attack.exfiltration`
			`- attack.t1048`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection:`
add tieto dns exfil rules 2019-11-10 20:27:21 +03:00			`Image\|endswith: '\tapinstall.exe'`
add tieto dns exfiltration rules 2019-10-25 04:30:55 +02:00			`condition: selection`
			`falsepositives:`
			`- Legitimate OpenVPN TAP insntallation`
			`level: medium`