LoFP / legitimate use of 7z with a command line in which \".dmp\" or \".dump\" appears accidentally

Techniques

• t1560
• t1560.001

Sample rules

7Zip Compressing Dump Files

• source: sigma
• technicques:
  • t1560
  • t1560.001

Description

Detects execution of 7z in order to compress a file with a “.dmp”/".dump" extension, which could be a step in a process of dump file exfiltration.

Detection logic

condition: all of selection_*
selection_extension:
  CommandLine|contains:
  - .dmp
  - .dump
  - .hdmp
selection_img:
- Description|contains: 7-Zip
- Image|endswith:
  - \7z.exe
  - \7zr.exe
  - \7za.exe
- OriginalFileName:
  - 7z.exe
  - 7za.exe