title: WinDivert Driver Load
author: Florian Roth
date: 2021/07/30
description: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection
    package for Windows
detection:
    SELECTION_1:
        EventID: 6
    SELECTION_2:
        ImageLoaded: '*\WinDivert.sys*'
    SELECTION_3:
        ImageLoaded: '*\WinDivert64.sys*'
    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
falsepositives:
- legitimate WinDivert driver usage
id: 679085d5-f427-4484-9f58-1dc30a7c426d
level: high
logsource:
    category: driver_load
    product: windows
references:
- https://reqrypt.org/windivert-doc.html
- https://rastamouse.me/ntlm-relaying-via-cobalt-strike/
status: experimental
tags:
- attack.collection
- attack.defense_evasion
- attack.t1599.001
- attack.t1557.001
yml_filename: driver_load_windivert.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/driver_load