title: WinDivert Driver Load
id: 679085d5-f427-4484-9f58-1dc30a7c426d
status: experimental
description: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows
author: Florian Roth
date: 2021/07/30
references:
    - https://reqrypt.org/windivert-doc.html
    - https://rastamouse.me/ntlm-relaying-via-cobalt-strike/
tags:
    - attack.collection
    - attack.defense_evasion
    - attack.t1599.001
    - attack.t1557.001
logsource:
    category: driver_load
    product: windows
detection:
    selection:
        ImageLoaded|contains: 
            - '\WinDivert.sys'
            - '\WinDivert64.sys'
    condition: selection
falsepositives:
    - Legitimate WinDivert driver usage
level: high