Exploitation of 7zip vulnerability - CVE-2022-29072
Detects possible exploitation vulnerability CVE-2022-29072. This vulnerability is due to 7z.dll misconfiguration. When a .7z file is placed in the Help > Contents area of the current Windows version 21.07, anyone with access to the host can elevate privileges. The command creates a child process of 7zFM.exe.
Sigma rule (View on GitHub)
1title: Exploitation of 7zip vulnerability - CVE-2022-29072
2id: 932ade0f-3ba6-49c4-ba78-51c5234384d5
3description: Detects possible exploitation vulnerability CVE-2022-29072. This vulnerability is due to 7z.dll misconfiguration. When a .7z file is placed in the Help > Contents area of the current Windows version 21.07, anyone with access to the host can elevate privileges. The command creates a child process of 7zFM.exe.
4status: experimental
5date: 2022/04/18
6author: \@kostastsale
7references:
8 - https://github.com/kagancapar/CVE-2022-29072
9logsource:
10 category: process_creation
11 product: windows
12detection:
13 selection1:
14 Image|endswith:
15 - 'cmd.exe'
16 - 'powershell.exe'
17 ParentImage|endswith:
18 - '7zFM.exe'
19 filter:
20 CommandLine|endswith:
21 - '.bat'
22 - '.cmd'
23 - '.ps1'
24 condition: selection1 and not filter
25falsepositives:
26 - Some false positives could exist but unlikely
27level: high
28tags:
29 - attack.Exploitation for Privilege Escalation
30 - attack.T1068```
References
-
7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area. - kagancapar/CVE-2022-29072
Read More