Detectionlowtest

Tap Driver Installation - Security

Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Daniil Yugoslavskiy, Ian Davis, oscd.communityCreated Thu Oct 24Updated Tue Nov 299c8afa4d-0022-48f0-9456-3712466f9701windows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Definition

Requirements: The System Security Extension audit subcategory need to be enabled to log the EID 4697

Detection Logic

detection:
    selection:
        EventID: 4697
        ServiceFileName|contains: 'tap0901'
    condition: selection

False Positives

Legitimate OpenVPN TAP installation

References

Resolving title…

community.openvpn.net

MITRE ATT&CK

Tactics

TA0010 · Exfiltration

Techniques

T1048 · Exfiltration Over Alternative Protocol

Related Rules

DerivedDetectionmedium

Tap Driver Installation

Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata

Rule ID

9c8afa4d-0022-48f0-9456-3712466f9701

Status

test

Level

low

Type

Detection

Created

Thu Oct 24

Modified

Tue Nov 29

Author

Daniil Yugoslavskiy, Ian Davis, oscd.community

Path

rules/windows/builtin/security/win_security_tap_driver_installation.yml

Raw Tags

attack.exfiltrationattack.t1048

View on GitHub