heroui logo

Potential 7za.DLL Sideloading

Sigma Rules

View Source
Summary
This detection rule identifies potential sideloading of the '7za.dll' file, which is commonly associated with file compression tools like 7-Zip. The rule is triggered when an image that ends with '7za.dll' is loaded, specifically excluding legitimate paths from common Program Files directories to prevent false positives. This sideloading technique can be indicative of malicious persistence or privilege escalation activities, as attackers might exploit this DLL to execute unauthorized code within the context of a trusted application. The rule employs a combination of selection criteria and filtering conditions to mitigate false alarms. Legitimate use cases, such as third-party applications that incorporate '7za.dll' from user directories, could lead to false positives, hence it is recommended to apply further contextual filters if needed. This low-level alert serves to inform and requires with potential manual verification to distinguish between benign and malicious activity.
Categories
  • Windows
  • Endpoint
Data Sources
  • Image
Created: 2023-06-09