title: WinDivert Driver Load
author: Florian Roth
date: 2021/07/30
description: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection
  package for Windows
detection:
  SELECTION_1:
    EventID: 6
  SELECTION_2:
    ImageLoaded:
    - '*\WinDivert.sys*'
    - '*\WinDivert64.sys*'
  condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- legitimate WinDivert driver usage
id: 679085d5-f427-4484-9f58-1dc30a7c426d
level: high
logsource:
  category: driver_load
  product: windows
references:
- https://reqrypt.org/windivert-doc.html
- https://rastamouse.me/ntlm-relaying-via-cobalt-strike/
status: experimental
tags:
- attack.collection
- attack.defense_evasion
- attack.t1599.001
- attack.t1557.001
ruletype: SIGMA