phantinuss
27 lines
771 B
YAML
27 lines
771 B
YAML
title: WinDivert Driver Load
|
|
id: 679085d5-f427-4484-9f58-1dc30a7c426d
|
|
status: experimental
|
|
description: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows
|
|
author: Florian Roth
|
|
date: 2021/07/30
|
|
references:
|
|
- https://reqrypt.org/windivert-doc.html
|
|
- https://rastamouse.me/ntlm-relaying-via-cobalt-strike/
|
|
tags:
|
|
- attack.collection
|
|
- attack.defense_evasion
|
|
- attack.t1599.001
|
|
- attack.t1557.001
|
|
logsource:
|
|
category: driver_load
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
ImageLoaded|contains:
|
|
- '\WinDivert.sys'
|
|
- '\WinDivert64.sys'
|
|
condition: selection
|
|
falsepositives:
|
|
- Legitimate WinDivert driver usage
|
|
level: high
|