SigmaHQ/rules/windows/process_creation/win_tap_installer_execution.yml

title: Tap installer execution
description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
status: experimental
author: Daniil Yugoslavskiy, oscd.community
date: 2019/10/24
tags:
    - attack.exfiltration
    - attack.t1048
logsource:
     category: process_creation
     product: windows
detection:
    selection:
        Image|endswith: '\tapinstall.exe'
    condition: selection
falsepositives:
    - Legitimate OpenVPN TAP insntallation
level: medium