
Summary
This detection rule identifies the installation of Windows Pcap drivers by monitoring logs for specific Event IDs associated with service installations. The rule focuses on Event ID 4697, which logs when a service is installed. The configuration specifically looks for certain substrings in the ServiceFileName field that are associated with popular Pcap drivers, including 'pcap', 'npcap', and others. By filtering these events based on the presence of these keywords in the ServiceFileName, the rule aims to uncover potentially unauthorized installations of packet capture drivers which can be used for capturing network traffic and may indicate malicious activity, such as credential theft or surveillance.
Categories
- Windows
Data Sources
- Windows Registry
- Logon Session
- Application Log
- Service
Created: 2020-06-10