security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
291ca18d22f720f2ebcd30cf468f4434cecccdaa
blue-team-tools/rules/windows/process_creation/proc_creation_win_tapinstall_execution.yml
T
Nasreddine Bencherchali e3503d5d60 feat: more updates
2023-03-06 00:39:26 +01:00

29 lines
1007 B
YAML
Raw Blame History

title: Tap Installer Execution
id: 99793437-3e16-439b-be0f-078782cf953d
status: test
description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
author: Daniil Yugoslavskiy, Ian Davis, oscd.community
date: 2019/10/24
modified: 2023/02/13
tags:
- attack.exfiltration
- attack.t1048
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\tapinstall.exe'
filter_avast:
Image:
- 'C:\Program Files\Avast Software\SecureLine VPN\tapinstall.exe'
- 'C:\Program Files (x86)\Avast Software\SecureLine VPN\tapinstall.exe'
filter_openvpn:
Image|startswith: 'C:\Program Files\OpenVPN Connect\drivers\tap\'
filter_protonvpn:
Image|startswith: 'C:\Program Files (x86)\Proton Technologies\ProtonVPNTap\installer\'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate OpenVPN TAP insntallation
level: medium
Reference in New Issue View Git Blame Copy Permalink