2020-02-20 23:00:16 +01:00
|
|
|
title: Tap Installer Execution
|
2019-12-19 23:56:36 +01:00
|
|
|
id: 99793437-3e16-439b-be0f-078782cf953d
|
2021-11-27 11:33:14 +01:00
|
|
|
status: test
|
2020-01-19 22:34:16 +01:00
|
|
|
description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
|
2019-12-07 02:10:06 +01:00
|
|
|
author: Daniil Yugoslavskiy, Ian Davis, oscd.community
|
2019-10-25 04:30:55 +02:00
|
|
|
date: 2019/10/24
|
2023-02-14 00:51:20 +01:00
|
|
|
modified: 2023/02/13
|
2022-10-28 15:06:36 +02:00
|
|
|
tags:
|
|
|
|
|
- attack.exfiltration
|
|
|
|
|
- attack.t1048
|
2019-10-25 04:30:55 +02:00
|
|
|
logsource:
|
2022-10-28 15:06:36 +02:00
|
|
|
category: process_creation
|
|
|
|
|
product: windows
|
2019-10-25 04:30:55 +02:00
|
|
|
detection:
|
2022-10-28 15:06:36 +02:00
|
|
|
selection:
|
|
|
|
|
Image|endswith: '\tapinstall.exe'
|
|
|
|
|
filter_avast:
|
|
|
|
|
Image:
|
|
|
|
|
- 'C:\Program Files\Avast Software\SecureLine VPN\tapinstall.exe'
|
|
|
|
|
- 'C:\Program Files (x86)\Avast Software\SecureLine VPN\tapinstall.exe'
|
2023-02-14 00:51:20 +01:00
|
|
|
filter_openvpn:
|
|
|
|
|
Image|startswith: 'C:\Program Files\OpenVPN Connect\drivers\tap\'
|
|
|
|
|
filter_protonvpn:
|
|
|
|
|
Image|startswith: 'C:\Program Files (x86)\Proton Technologies\ProtonVPNTap\installer\'
|
|
|
|
|
condition: selection and not 1 of filter_*
|
2019-10-25 04:30:55 +02:00
|
|
|
falsepositives:
|
2022-10-28 15:06:36 +02:00
|
|
|
- Legitimate OpenVPN TAP insntallation
|
2019-10-25 04:30:55 +02:00
|
|
|
level: medium
|
