Techniques
Sample rules
Tap Installer Execution
- source: sigma
- technicques:
- t1048
Description
Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
Detection logic
condition: selection and not 1 of filter_optional_*
filter_optional_avast:
Image|contains:
- :\Program Files\Avast Software\SecureLine VPN\
- :\Program Files (x86)\Avast Software\SecureLine VPN\
filter_optional_openvpn:
Image|contains: :\Program Files\OpenVPN Connect\drivers\tap\
filter_optional_protonvpn:
Image|contains: :\Program Files (x86)\Proton Technologies\ProtonVPNTap\installer\
selection:
Image|endswith: \tapinstall.exe
Tap Driver Installation - Security
- source: sigma
- technicques:
- t1048
Description
Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.
Detection logic
condition: selection
selection:
EventID: 4697
ServiceFileName|contains: tap0901
Tap Driver Installation
- source: sigma
- technicques:
- t1048
Description
Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
Detection logic
condition: selection
selection:
EventID: 7045
ImagePath|contains: tap0901
Provider_Name: Service Control Manager