title: Tap Driver Installation
id: 8bd47424-53e9-41ea-8a6a-a1f97b1bb0eb
related:
    - id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
      type: derived
description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
status: experimental
author: Daniil Yugoslavskiy, Ian Davis, oscd.community
date: 2019/10/24
modified: 2021/09/21
tags:
    - attack.exfiltration
    - attack.t1048
logsource:
    product: windows
    category: driver_load
detection:
    selection:
        ImagePath|contains: 'tap0901'
    condition: selection
falsepositives:
    - Legitimate OpenVPN TAP insntallation
level: medium