Exploitation of 7zip vulnerability - CVE-2022-29072

calendar Apr 25, 2022 · attack.Exploitation for Privilege Escalation attack.T1068  ·
Share on: linkedin copy

Detects possible exploitation vulnerability CVE-2022-29072. This vulnerability is due to 7z.dll misconfiguration. When a .7z file is placed in the Help > Contents area of the current Windows version 21.07, anyone with access to the host can elevate privileges. The command creates a child process of 7zFM.exe.

Sigma rule (View on GitHub)

 1title: Exploitation of 7zip vulnerability - CVE-2022-29072
 2description: Detects possible exploitation vulnerability CVE-2022-29072. This vulnerability is due to 7z.dll misconfiguration. When a .7z file is placed in the Help > Contents area of the current Windows version 21.07, anyone with access to the host can elevate privileges. The command creates a child process of 7zFM.exe.
 3status: experimental
 4date: 2022/04/18
 5author: \@kostastsale
 6references:
 7    - https://github.com/kagancapar/CVE-2022-29072
 8logsource:
 9    category: process_creation
10    product: windows
11detection:
12    selection1:
13        Image|endswith:
14            - 'cmd.exe'
15            - 'powershell.exe'
16        ParentImage|endswith:
17            - '7zFM.exe'
18    filter:
19        CommandLine|endswith:
20            - '.bat'
21            - '.cmd'
22            - '.ps1'
23    condition: selection1 and not filter
24falsepositives:
25    - Some false positives could exist but unlikely
26level: high
27tags:
28    - attack.Exploitation for Privilege Escalation
29    - attack.T1068```

References

to-top