security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fefb8564717d69af72ededb4172bc7ec00aac734
blue-team-tools/rules/windows/builtin/win_tap_driver_installation.yml
T
frack113 d02ee1eddd Update global ID
2021-09-02 21:16:55 +02:00

38 lines
869 B
YAML
Raw Blame History

action: global
title: Tap Driver Installation
description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
status: experimental
author: Daniil Yugoslavskiy, Ian Davis, oscd.community
date: 2019/10/24
tags:
- attack.exfiltration
- attack.t1048
falsepositives:
- Legitimate OpenVPN TAP insntallation
level: medium
detection:
selection:
ImagePath|contains: 'tap0901'
condition: selection
---
id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
logsource:
product: windows
service: system
detection:
selection:
EventID: 7045
---
id: 8bd47424-53e9-41ea-8a6a-a1f97b1bb0eb
logsource:
product: windows
category: driver_load
---
id: 9c8afa4d-0022-48f0-9456-3712466f9701
logsource:
product: windows
service: security
detection:
selection:
EventID: 4697
Reference in New Issue View Git Blame Copy Permalink