Potential CVE-2022-29072 Exploitation Attempt
Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability. 7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process.
Sigma rule (View on GitHub)
1title: Potential CVE-2022-29072 Exploitation Attempt
2id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3
3status: test
4description: |
5 Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.
6 7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.
7 The command runs in a child process under the 7zFM.exe process.
8references:
9 - https://github.com/kagancapar/CVE-2022-29072
10 - https://twitter.com/kagancapar/status/1515219358234161153
11author: frack113
12date: 2022/04/17
13modified: 2023/02/07
14tags:
15 - attack.execution
16 - cve.2022.29072
17 - detection.emerging_threats
18logsource:
19 product: windows
20 category: process_creation
21detection:
22 selection_img:
23 - Image|endswith: '\cmd.exe'
24 - OriginalFileName: 'Cmd.Exe'
25 selection_parent:
26 ParentImage|endswith: '\7zFM.exe'
27 filter_bat:
28 CommandLine|contains:
29 - ' /c '
30 - ' /k '
31 - ' /r '
32 filter_null:
33 CommandLine: null
34 condition: all of selection_* and not 1 of filter_*
35falsepositives:
36 - Unknown
37level: high
References
Related rules
- Potential Raspberry Robin Dot Ending File
- Potential CVE-2022-26809 Exploitation Attempt
- Potential Exploitation Attempt From Office Application
- Mint Sandstorm - Log4J Wstomcat Process Execution
- Potential APT FIN7 POWERHOLD Execution