Threat Huntlowtest
Password Protected Compressed File Extraction Via 7Zip
Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Fri Mar 10Updated Tue Jul 16b717b8fd-6467-4d7d-b3d3-27f9a463af77windows
Hunting Hypothesis
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_img:
- Description|contains: '7-Zip'
- Image|endswith:
- '\7z.exe'
- '\7zr.exe'
- '\7za.exe'
- OriginalFileName:
- '7z.exe'
- '7za.exe'
selection_password:
CommandLine|contains|all:
- ' -p'
- ' x '
- ' -o'
condition: all of selection_*False Positives
Legitimate activity is expected since extracting files with a password can be common in some environment.
References
MITRE ATT&CK
Tactics
Sub-techniques
Other
detection.threat-hunting
Rule Metadata
Rule ID
b717b8fd-6467-4d7d-b3d3-27f9a463af77
Status
test
Level
low
Type
Threat Hunt
Created
Fri Mar 10
Modified
Tue Jul 16
Path
rules-threat-hunting/windows/process_creation/proc_creation_win_7zip_password_extraction.yml
Raw Tags
attack.collectionattack.t1560.001detection.threat-hunting