The hypothesis is that an adversary may be using 7za.DLL to sideload malicious code into a process, leveraging the legitimate compression utility to execute arbitrary code. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential DLL sideloading attacks that could evade traditional detection mechanisms.
Detection Rule
title: Potential 7za.DLL Sideloading
id: 4f6edb78-5c21-42ab-a558-fd2a6fc1fd57
status: test
description: Detects potential DLL sideloading of "7za.dll"
references:
- https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d
author: X__Junior
date: 2023-06-09
tags:
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\7za.dll'
filter_main_legit_path:
Image|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
ImageLoaded|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate third party application located in "AppData" may leverage this DLL to offer 7z compression functionality and may generate false positives. Apply additional filters as needed.
level: low
DeviceImageLoadEvents
| where FolderPath endswith "\\7za.dll" and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\" or InitiatingProcessFolderPath startswith "C:\\Program Files\\") and (FolderPath startswith "C:\\Program Files (x86)\\" or FolderPath startswith "C:\\Program Files\\"))))Scenario: Legitimate 7-Zip Compression Task
Description: A system administrator is using 7-Zip to compress files as part of a routine backup or archive process.
Filter/Exclusion: Check the process tree to ensure the 7za.exe process is initiated by a known administrative tool or script (e.g., wbadmin, vssadmin, or a scheduled task named “Backup_Script”).
Filter Example: process.parent_process_name == "wbadmin.exe" or process.parent_process_name == "vssadmin.exe"
Scenario: Scheduled Job for Software Deployment
Description: A scheduled job is running a script that uses 7-Zip to deploy an application update, which includes extracting a 7za.dll from a trusted source.
Filter/Exclusion: Exclude processes that originate from a known deployment tool or script (e.g., SCCM, Chocolatey, or a job named “App_Update_Deployment”).
Filter Example: process.parent_process_name == "choco.exe" or process.parent_process_name == "sccm.exe"
Scenario: System File Integrity Check (SFIC) Tool
Description: A security tool like Sysinternals Process Explorer or Process Monitor is being used to inspect system files, which may temporarily load 7za.dll for analysis.
Filter/Exclusion: Exclude processes that are associated with known security or diagnostic tools (e.g., procmon.exe, ProcessExplorer.exe, or logonui.exe).
Filter Example: process.name == "procmon.exe" or process.name == "ProcessExplorer.exe"
Scenario: Admin Task for Log File Compression
Description: An administrator is using 7-Zip to compress log files as part of a log management task, which may involve loading `