security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
b2acd800981e1c8d9f747173eb7803f0405cebd6
blue-team-tools/rules/windows/driver_load/driver_load_win_windivert.yml
T
frack113 d804e9cba1 Merge PR #5088 from @frack113 - Remove custom dedicated hash fields from sigmac 
update: GALLIUM IOCs - remove custom dedicated hash fields
update: Malicious DLL Load By Compromised 3CXDesktopApp - remove custom dedicated hash fields
update: Potential Compromised 3CXDesktopApp Execution - remove custom dedicated hash fields
update: HackTool Named File Stream Created - remove custom dedicated hash fields
update: PUA - Process Hacker Driver Load - remove custom dedicated hash fields
update: PUA - System Informer Driver Load - remove custom dedicated hash fields
update: Vulnerable HackSys Extreme Vulnerable Driver Load - remove custom dedicated hash fields
update: Vulnerable WinRing0 Driver Load - remove custom dedicated hash fields
update: WinDivert Driver Load - remove custom dedicated hash fields
update: HackTool - SharpEvtMute DLL Load - remove custom dedicated hash fields
update: HackTool - CoercedPotato Execution - remove custom dedicated hash fields
update: HackTool - CreateMiniDump Execution - remove custom dedicated hash fields
update: Hacktool Execution - Imphash - remove custom dedicated hash fields
update: HackTool - GMER Rootkit Detector and Remover Execution - remove custom dedicated hash fields
update: HackTool - HandleKatz LSASS Dumper Execution - remove custom dedicated hash fields
update: HackTool - Impersonate Execution - remove custom dedicated hash fields
update: HackTool - LocalPotato Execution - remove custom dedicated hash fields
update: HackTool - PCHunter Execution - remove custom dedicated hash fields
update: HackTool - PPID Spoofing SelectMyParent Tool Execution - remove custom dedicated hash fields
update: HackTool - Stracciatella Execution - remove custom dedicated hash fields
update: HackTool - SysmonEOP Execution - remove custom dedicated hash fields
update: HackTool - UACMe Akagi Execution - remove custom dedicated hash fields
update: HackTool - Windows Credential Editor (WCE) Execution - remove custom dedicated hash fields
update: MpiExec Lolbin - remove custom dedicated hash fields
update: PUA - Fast Reverse Proxy (FRP) Execution - remove custom dedicated hash fields
update: PUA- IOX Tunneling Tool Execution - remove custom dedicated hash fields
update: PUA - Nimgrab Execution - remove custom dedicated hash fields
update: PUA - NPS Tunneling Tool Execution - remove custom dedicated hash fields
update: PUA - Process Hacker Execution - remove custom dedicated hash fields
update: PUA - System Informer Execution - remove custom dedicated hash fields
update: Remote Access Tool - NetSupport Execution From Unusual Location - remove custom dedicated hash fields
update: Renamed AdFind Execution - remove custom dedicated hash fields
update: Renamed AutoIt Execution - remove custom dedicated hash fields
update: Renamed NetSupport RAT Execution - remove custom dedicated hash fields
update: Renamed PAExec Execution - remove custom dedicated hash fields
update: Potential SquiblyTwo Technique Execution - remove custom dedicated hash fields

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
2024-11-25 09:30:14 +01:00

51 lines
2.0 KiB
YAML
Raw Blame History

title: WinDivert Driver Load
id: 679085d5-f427-4484-9f58-1dc30a7c426d
status: test
description: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows
references:
- https://reqrypt.org/windivert-doc.html
- https://rastamouse.me/ntlm-relaying-via-cobalt-strike/
author: Florian Roth (Nextron Systems)
date: 2021-07-30
modified: 2024-11-23
tags:
- attack.collection
- attack.defense-evasion
- attack.t1599.001
- attack.t1557.001
logsource:
category: driver_load
product: windows
detection:
selection:
- ImageLoaded|contains:
- '\WinDivert.sys'
- '\WinDivert64.sys'
# Other used names
- '\NordDivert.sys'
- '\lingtiwfp.sys'
- '\eswfp.sys'
- Hashes|contains:
- 'IMPHASH=0604bb7cb4bb851e2168d5c7d9399087'
- 'IMPHASH=2e5f0e649d97f32b03c09e4686d0574f'
- 'IMPHASH=52f8aa269f69f0edad9e8fcdaedce276'
- 'IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76'
- 'IMPHASH=58623490691babe8330adc81cd04a663'
- 'IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b'
- 'IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96'
- 'IMPHASH=a1b2e245acd47e4a348e1a552a02859a'
- 'IMPHASH=2a5f85fe4609461c6339637594fa9b0a'
- 'IMPHASH=6b2c6f95233c2914d1d488ee27531acc'
- 'IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342'
- 'IMPHASH=d8a719865c448b1bd2ec241e46ac1c88'
- 'IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38'
- 'IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6'
- 'IMPHASH=a74929edfc3289895e3f2885278947ae'
- 'IMPHASH=a66b476c2d06c370f0a53b5537f2f11e'
- 'IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4'
- 'IMPHASH=c28cd6ccd83179e79dac132a553693d9'
condition: selection
falsepositives:
- Legitimate WinDivert driver usage
level: high
Reference in New Issue View Git Blame Copy Permalink