LoFP / legitimate activity is expected since extracting files with a password can be common in some environment.

Techniques

Sample rules

Password Protected Compressed File Extraction Via 7Zip

source: sigma
technicques:
- t1560
- t1560.001

Description

Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.

Detection logic

condition: all of selection_*
selection_img:
- Description|contains: 7-Zip
- Image|endswith:
  - \7z.exe
  - \7zr.exe
  - \7za.exe
- OriginalFileName:
  - 7z.exe
  - 7za.exe
selection_password:
  CommandLine|contains|all:
  - ' -p'
  - ' x '
  - ' -o'