Detectionmediumtest

Tap Driver Installation

Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Daniil Yugoslavskiy, Ian Davis, oscd.communityCreated Thu Oct 24Updated Sun Dec 258e4cf0e5-aa5d-4dc3-beff-dc26917744a9windows

Log Source

Windowssystem

ProductWindows← raw: windows

Servicesystem← raw: system

Detection Logic

detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains: 'tap0901'
    condition: selection

False Positives

Legitimate OpenVPN TAP installation

References

Resolving title…

community.openvpn.net

MITRE ATT&CK

Tactics

TA0010 · Exfiltration

Techniques

T1048 · Exfiltration Over Alternative Protocol

Rule Metadata

Rule ID

8e4cf0e5-aa5d-4dc3-beff-dc26917744a9

Status

test

Level

medium

Type

Detection

Created

Thu Oct 24

Modified

Sun Dec 25

Author

Daniil Yugoslavskiy, Ian Davis, oscd.community

Path

rules/windows/builtin/system/service_control_manager/win_system_service_install_tap_driver.yml

Raw Tags

attack.exfiltrationattack.t1048

View on GitHub