Create 7z_CVE-2022-29072.yml

tsale · web-flow · commit 556658be46f5 · 2022-04-19T01:24:05.000-07:00
Adding sigma rule for behavioural detection
diff --git a/7z_CVE-2022-29072.yml b/7z_CVE-2022-29072.yml
@@ -0,0 +1,29 @@
+title: Exploitation of 7zip vulnerability - CVE-2022-29072
+description: Detects possible exploitation vulnerability CVE-2022-29072. This vulnerability is due to 7z.dll misconfiguration. When a .7z file is placed in the Help > Contents area of the current Windows version 21.07, anyone with access to the host can elevate privileges. The command creates a child process of 7zFM.exe.
+status: experimental
+date: 2022/04/18
+author: \@kostastsale
+references:
+    - https://github.com/kagancapar/CVE-2022-29072
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        Image|endswith:
+            - 'cmd.exe'
+            - 'powershell.exe'
+        ParentImage|endswith:
+            - '7zFM.exe'
+    filter:
+        CommandLine|endswith:
+            - '.bat'
+            - '.cmd'
+            - '.ps1'
+    condition: selection1 and not filter
+falsepositives:
+    - Some false positives could exist but unlikely
+level: high
+tags:
+    - attack.Exploitation for Privilege Escalation
+    - attack.T1068
