SigmaHQ/rules/windows/process_creation/win_tap_installer_execution.yml

title: Tap installer execution
description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
status: experimental
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
tags:
    - attack.exfiltration
    - attack.t1048
logsource:
     category: process_creation
     product: windows
detection:
    selection:
        CommandLine: "*\\tapinstall.exe"
    condition: selection
falsepositives:
    - Legitimate OpenVPN TAP insntallation
level: medium
add tieto dns exfiltration rules 2019-10-25 02:30:55 +00:00			`title: Tap installer execution`
			`description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques`
			`status: experimental`
			`author: Daniil Yugoslavskiy, oscd.community`
			`date: 2019/10/24`
			`tags:`
			`- attack.exfiltration`
			`- attack.t1048`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection:`
			`CommandLine: "*\\tapinstall.exe"`
			`condition: selection`
			`falsepositives:`
			`- Legitimate OpenVPN TAP insntallation`
			`level: medium`