LoFP / legitimate third party application located in \"appdata\" may leverage this dll to offer 7z compression functionality and may generate false positives. apply additional filters as needed.

Techniques

Sample rules

Potential 7za.DLL Sideloading

source: sigma
technicques:
- t1574
- t1574.001
- t1574.002

Description

Detects potential DLL sideloading of “7za.dll”

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_legit_path:
  ImageLoaded|startswith:
  - C:\Program Files (x86)\
  - C:\Program Files\
  Image|startswith:
  - C:\Program Files (x86)\
  - C:\Program Files\
selection:
  ImageLoaded|endswith: \7za.dll