Anomalous Usage Of 7Zip

Anomalous Usage Of 7Zip


The following detection identifies a 7z.exe spawned from Rundll32.exe or Dllhost.exe. It is assumed that the adversary has brought in 7z.exe and 7z.dll. It has been observed where an adversary will rename 7z.exe. Additional coverage may be required to identify the behavior of renamed instances of 7z.exe. During triage, identify the source of injection into Rundll32.exe or Dllhost.exe. Capture any files written to disk and analyze as needed. Review parallel processes for additional behaviors. Typically, archiving files will result in exfiltration.


Anomalous Usage Of 7Zip Help

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the Endpoint datamodel in the Processes node.


Open in Search