rules/windows/process_creation/proc_creation_win_tapinstall_execution.yml

title: Tap Installer Execution
id: 99793437-3e16-439b-be0f-078782cf953d
status: test
description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
references:
    - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
author: Daniil Yugoslavskiy, Ian Davis, oscd.community
date: 2019-10-24
modified: 2023-12-11
tags:
    - attack.exfiltration
    - attack.t1048
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\tapinstall.exe'
    filter_optional_avast:
        Image|contains:
            - ':\Program Files\Avast Software\SecureLine VPN\'
            - ':\Program Files (x86)\Avast Software\SecureLine VPN\'
    filter_optional_openvpn:
        Image|contains: ':\Program Files\OpenVPN Connect\drivers\tap\'
    filter_optional_protonvpn:
        Image|contains: ':\Program Files (x86)\Proton Technologies\ProtonVPNTap\installer\'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Legitimate OpenVPN TAP installation
level: medium
Rule fixes 2020-02-20 23:00:16 +01:00			`title: Tap Installer Execution`
UUIDs + moved unsupported logic 2019-12-19 23:56:36 +01:00			`id: 99793437-3e16-439b-be0f-078782cf953d`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
OSCD QA wave 3 2020-01-19 22:34:16 +01:00			`description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques`
Merge PR #4681 from @nasbench - Add Missing Ref & Tags 2024-01-29 13:37:20 +01:00			`references:`
			`- https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers`
update authors for 2 rules 2019-12-07 02:10:06 +01:00			`author: Daniil Yugoslavskiy, Ian Davis, oscd.community`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2019-10-24`
			`modified: 2023-12-11`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`tags:`
			`- attack.exfiltration`
			`- attack.t1048`
add tieto dns exfiltration rules 2019-10-25 04:30:55 +02:00			`logsource:`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`category: process_creation`
			`product: windows`
add tieto dns exfiltration rules 2019-10-25 04:30:55 +02:00			`detection:`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`selection:`
			`Image\|endswith: '\tapinstall.exe'`
Merge PR #4577 from @nasbench - Multiple Fixes & Updates 2023-12-21 21:04:18 +01:00			`filter_optional_avast:`
			`Image\|contains:`
			`- ':\Program Files\Avast Software\SecureLine VPN\'`
			`- ':\Program Files (x86)\Avast Software\SecureLine VPN\'`
			`filter_optional_openvpn:`
			`Image\|contains: ':\Program Files\OpenVPN Connect\drivers\tap\'`
			`filter_optional_protonvpn:`
			`Image\|contains: ':\Program Files (x86)\Proton Technologies\ProtonVPNTap\installer\'`
			`condition: selection and not 1 of filter_optional_*`
add tieto dns exfiltration rules 2019-10-25 04:30:55 +02:00			`falsepositives:`
Merge PR #4681 from @nasbench - Add Missing Ref & Tags 2024-01-29 13:37:20 +01:00			`- Legitimate OpenVPN TAP installation`
add tieto dns exfiltration rules 2019-10-25 04:30:55 +02:00			`level: medium`