This detection rule identifies the installation of TAP drivers, specifically looking for events generated by the Windows Service Control Manager (SCM) indicating the addition of a new service. TAP drivers are commonly associated with VPN tools like OpenVPN, which can be exploited for tunneling and potential data exfiltration. The rule captures Event ID 7045, which is logged when a new service is installed, and filters for instances where the service provider is directly related to the TAP driver (identified by the image path containing 'tap0901'). Its presence could signify preparations for unauthorized data tunneling. This is important for organizations to monitor as it can aid in exfiltration attempts and must be assessed promptly, especially if it doesn’t coincide with known legitimate use cases.