Techniques
Sample rules
Anomalous usage of 7zip
- source: splunk
- technicques:
- T1560.001
- T1560
Description
The following detection identifies a 7z.exe spawned from Rundll32.exe
or Dllhost.exe
. It is assumed that the adversary has brought in 7z.exe
and 7z.dll
. It has been observed where an adversary will rename 7z.exe
. Additional coverage may be required to identify the behavior of renamed instances of 7z.exe
. During triage, identify the source of injection into Rundll32.exe
or Dllhost.exe
. Capture any files written to disk and analyze as needed. Review parallel processes for additional behaviors. Typically, archiving files will result in exfiltration.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("rundll32.exe", "dllhost.exe") Processes.process_name=*7z* by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `anomalous_usage_of_7zip_filter`