Exploitation of 7zip vulnerability - CVE-2022-29072
Detects possible exploitation vulnerability CVE-2022-29072. This vulnerability is due to 7z.dll misconfiguration. When a .7z file is placed in the Help > Contents area of the current Windows version 21.07, anyone with access to the host can elevate privileges. The command creates a child process of 7zFM.exe.
Sigma rule (View on GitHub)
1title: Exploitation of 7zip vulnerability - CVE-2022-29072
2description: Detects possible exploitation vulnerability CVE-2022-29072. This vulnerability is due to 7z.dll misconfiguration. When a .7z file is placed in the Help > Contents area of the current Windows version 21.07, anyone with access to the host can elevate privileges. The command creates a child process of 7zFM.exe.
3status: experimental
4date: 2022/04/18
5author: \@kostastsale
6references:
7 - https://github.com/kagancapar/CVE-2022-29072
8logsource:
9 category: process_creation
10 product: windows
11detection:
12 selection1:
13 Image|endswith:
14 - 'cmd.exe'
15 - 'powershell.exe'
16 ParentImage|endswith:
17 - '7zFM.exe'
18 filter:
19 CommandLine|endswith:
20 - '.bat'
21 - '.cmd'
22 - '.ps1'
23 condition: selection1 and not filter
24falsepositives:
25 - Some false positives could exist but unlikely
26level: high
27tags:
28 - attack.Exploitation for Privilege Escalation
29 - attack.T1068```