Techniques
Sample rules
WinDivert Driver Load
- source: sigma
- technicques:
- t1557
- t1557.001
- t1599
- t1599.001
Description
Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows
Detection logic
condition: 1 of selection*
selection:
ImageLoaded|contains:
- \WinDivert.sys
- \WinDivert64.sys
- \NordDivert.sys
- \lingtiwfp.sys
- \eswfp.sys
selection_hashes:
Imphash:
- 0604bb7cb4bb851e2168d5c7d9399087
- 2e5f0e649d97f32b03c09e4686d0574f
- 52f8aa269f69f0edad9e8fcdaedce276
- c0e5d314da39dbf65a2dbff409cc2c76
- 58623490691babe8330adc81cd04a663
- 8ee39b48656e4d6b8459d7ba7da7438b
- 45ee545ae77e8d43fc70ede9efcd4c96
- a1b2e245acd47e4a348e1a552a02859a
- 2a5f85fe4609461c6339637594fa9b0a
- 6b2c6f95233c2914d1d488ee27531acc
- 9f2fdd3f9ab922bbb0560a7df46f4342
- d8a719865c448b1bd2ec241e46ac1c88
- 0ea54f8c9af4a2fe8367fa457f48ed38
- 9d519ae0a0864d6d6ae3f8b6c9c70af6
- a74929edfc3289895e3f2885278947ae
- a66b476c2d06c370f0a53b5537f2f11e
- bdcd836a46bc2415773f6b5ea77a46e4
- c28cd6ccd83179e79dac132a553693d9
selection_sysmon:
Hashes|contains:
- IMPHASH=0604bb7cb4bb851e2168d5c7d9399087
- IMPHASH=2e5f0e649d97f32b03c09e4686d0574f
- IMPHASH=52f8aa269f69f0edad9e8fcdaedce276
- IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76
- IMPHASH=58623490691babe8330adc81cd04a663
- IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b
- IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96
- IMPHASH=a1b2e245acd47e4a348e1a552a02859a
- IMPHASH=2a5f85fe4609461c6339637594fa9b0a
- IMPHASH=6b2c6f95233c2914d1d488ee27531acc
- IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342
- IMPHASH=d8a719865c448b1bd2ec241e46ac1c88
- IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38
- IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6
- IMPHASH=a74929edfc3289895e3f2885278947ae
- IMPHASH=a66b476c2d06c370f0a53b5537f2f11e
- IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4
- IMPHASH=c28cd6ccd83179e79dac132a553693d9