Potential CVE-2022-29072 Exploitation Attempt

Jan 1, 2024 · attack.execution cve.2022.29072 detection.emerging_threats ·

Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability. 7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process.

Sigma rule (View on GitHub)

 1title: Potential CVE-2022-29072 Exploitation Attempt
 2id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3
 3status: test
 4description: |
 5    Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.
 6    7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.
 7    The command runs in a child process under the 7zFM.exe process.    
 8references:
 9    - https://github.com/kagancapar/CVE-2022-29072
10    - https://twitter.com/kagancapar/status/1515219358234161153
11author: frack113
12date: 2022/04/17
13modified: 2023/02/07
14tags:
15    - attack.execution
16    - cve.2022.29072
17    - detection.emerging_threats
18logsource:
19    product: windows
20    category: process_creation
21detection:
22    selection_img:
23        - Image|endswith: '\cmd.exe'
24        - OriginalFileName: 'Cmd.Exe'
25    selection_parent:
26        ParentImage|endswith: '\7zFM.exe'
27    filter_bat:
28        CommandLine|contains:
29            - ' /c '
30            - ' /k '
31            - ' /r '
32    filter_null:
33        CommandLine: null
34    condition: all of selection_* and not 1 of filter_*
35falsepositives:
36    - Unknown
37level: high

References

GitHub - kagancapar/CVE-2022-29072: 7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area.

7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area. - kagancapar/CVE-2022-29072

Read More
Something went wrong, but don’t fret — let’s give it another shot.

Read More

Potential CVE-2022-29072 Exploitation Attempt

Sigma rule (View on GitHub)

References

GitHub - kagancapar/CVE-2022-29072: 7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area.

Related rules