Potential CVE-2022-29072 Exploitation Attempt

 1title: Potential CVE-2022-29072 Exploitation Attempt
 2id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3
 3status: test
 4description: |
 5    Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.
 6    7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.
 7    The command runs in a child process under the 7zFM.exe process.    
 8references:
 9    - https://github.com/kagancapar/CVE-2022-29072
10    - https://twitter.com/kagancapar/status/1515219358234161153
11author: frack113, @kostastsale
12date: 2022-04-17
13modified: 2024-08-15
14tags:
15    - attack.execution
16    - cve.2022-29072
17    - detection.emerging-threats
18logsource:
19    product: windows
20    category: process_creation
21detection:
22    selection_parent:
23        ParentImage|endswith: '\7zFM.exe'
24    selection_img:
25        - Image|endswith:
26              - '\cmd.exe'
27              - '\powershell.exe'
28              - '\pwsh.exe'
29        - OriginalFileName:
30              - 'Cmd.Exe'
31              - 'PowerShell.EXE'
32              - 'pwsh.dll'
33    filter_main_extensions_and_flags:
34        - CommandLine|contains:
35              - ' /c '
36              - ' /k '
37              - ' /r '
38        - CommandLine|endswith:
39              - '.bat'
40              - '.cmd'
41              - '.ps1'
42    filter_main_null:
43        CommandLine: null
44    condition: all of selection_* and not 1 of filter_main_*
45falsepositives:
46    - Unknown
47level: high