Query Details

Rule : Detection of 7-Zip Archiving to SMB Admin Shares

7Z To SM Bshare

Query

DeviceProcessEvents
| where FileName in ("7z.exe", "7za.exe", "7zr.exe") 
   or ProcessVersionInfoOriginalFileName in ("7z.exe", "7za.exe", "7zr.exe")
| where ProcessCommandLine has_any ("\\C$\\", "\\Admin$\\", "\\IPC$\\")

About this query

Explanation

This query is designed to detect potentially suspicious activity involving the use of the 7-Zip software to interact with administrative network shares on Windows systems. It specifically looks for instances where 7-Zip executable files (7z.exe, 7za.exe, or 7zr.exe) are used in a way that involves accessing special administrative shares like C$, Admin$, or IPC$. These shares are typically used for administrative purposes and are not usually accessed by 7-Zip in normal operations.

The purpose of this detection is to identify possible malicious behavior, such as an attacker using 7-Zip to compress and prepare files for unauthorized transfer over the network. This kind of activity is often associated with lateral movement within a network and data exfiltration attempts.

The query works by monitoring DeviceProcessEvents for processes that match the specified 7-Zip executables and checking if their command lines include references to the administrative shares. If such activity is detected, it could indicate an attempt to misuse 7-Zip for malicious purposes.

Details

Ali Hussein profile picture

Ali Hussein

Released: March 18, 2025

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsFileNameVersionInfoOriginalCommandLineSMBShareWindowsSecurity

Operators

|whereinorhas_any

Actions

GitHub