7Zip Compressing Dump Files

Jun 11, 2026 · attack.collection attack.t1560.001 ·

Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.

Sigma rule (View on GitHub)

 1title: 7Zip Compressing Dump Files
 2id: ec570e53-4c76-45a9-804d-dc3f355ff7a7
 3related:
 4    - id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc
 5      type: derived
 6status: test
 7description: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
 8references:
 9    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022-09-27
12modified: 2026-06-05
13tags:
14    - attack.collection
15    - attack.t1560.001
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - Description|contains: '7-Zip'
22        - Image|endswith:
23              - '\7z.exe'
24              - '\7zr.exe'
25              - '\7za.exe'
26        - OriginalFileName:
27              - '7z.exe'
28              - '7za.exe'
29              - '7zr.exe'
30    selection_extension:
31        CommandLine|contains:
32            - '.dmp'
33            - '.dump'
34            - '.hdmp'
35    condition: all of selection_*
36falsepositives:
37    - Legitimate use of 7z with a command line in which ".dmp" or ".dump" appears accidentally
38    - Legitimate use of 7z to compress WER ".dmp" files for troubleshooting
39level: medium

References

https://thedfirreport.com/2022/09/26/bumblebee-round-two/

Read More

7Zip Compressing Dump Files

Sigma rule (View on GitHub)

References

https://thedfirreport.com/2022/09/26/bumblebee-round-two/

Related rules