Detectionlowtest

Potential 7za.DLL Sideloading

Detects potential DLL sideloading of "7za.dll"

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

X__JuniorCreated Fri Jun 094f6edb78-5c21-42ab-a558-fd2a6fc1fd57windows

Log Source

WindowsImage Load (DLL)

ProductWindows← raw: windows

CategoryImage Load (DLL)← raw: image_load

Detection Logic

detection:
    selection:
        ImageLoaded|endswith: '\7za.dll'
    filter_main_legit_path:
        Image|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
    condition: selection and not 1 of filter_main_*

False Positives

Legitimate third party application located in "AppData" may leverage this DLL to offer 7z compression functionality and may generate false positives. Apply additional filters as needed.

References

Resolving title…

gov.pl

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0003 · Persistence TA0004 · Privilege Escalation

Sub-techniques

T1574.001 · DLL Search Order Hijacking

Rule Metadata

Rule ID

4f6edb78-5c21-42ab-a558-fd2a6fc1fd57

Status