Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Windows Pcap Drivers

Detects Windows Pcap driver installation based on a list of associated .sys files.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Cian HeasleyCreated Wed Jun 10Updated Fri Apr 147b687634-ab20-11ea-bb37-0242ac130002windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security

Definition

The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697

Detection Logic
Detection Logic1 selector
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains:
            - 'pcap'
            - 'npcap'
            - 'npf'
            - 'nm3'
            - 'ndiscap'
            - 'nmnt'
            - 'windivert'
            - 'USBPcap'
            - 'pktmon'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
ragged-lab.blogspot.com
MITRE ATT&CK
Rule Metadata
Rule ID
7b687634-ab20-11ea-bb37-0242ac130002
Status
test
Level
medium
Type
Detection
Created
Wed Jun 10
Modified
Fri Apr 14
Author
Cian Heasley
Path
rules/windows/builtin/security/win_security_pcap_drivers.yml
Raw Tags
attack.discoveryattack.credential-accessattack.t1040
View on GitHub