sigmalowHunting

Tap Driver Installation - Security

Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.

MITRE ATT&CK

T1048

exfiltration

Detection Query

selection:
  EventID: 4697
  ServiceFileName|contains: tap0901
condition: selection

Author

Daniil Yugoslavskiy, Ian Davis, oscd.community

Created

2019-10-24

Data Sources

windowssecurity

Platforms

windows

References

https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers

Tags

attack.exfiltrationattack.t1048

Raw Content

title: Tap Driver Installation - Security
id: 9c8afa4d-0022-48f0-9456-3712466f9701
related:
    - id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
      type: derived
status: test
description: |
    Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.
references:
    - https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
author: Daniil Yugoslavskiy, Ian Davis, oscd.community
date: 2019-10-24
modified: 2022-11-29
tags:
    - attack.exfiltration
    - attack.t1048
logsource:
    product: windows
    service: security
    definition: 'Requirements: The System Security Extension audit subcategory need to be enabled to log the EID 4697'
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains: 'tap0901'
    condition: selection
falsepositives:
    - Legitimate OpenVPN TAP installation
level: low