The 7-zip-prep-for-exfiltration rule detects the use of 7-Zip to compress files, which is often a precursor to data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration attempts early and mitigate data loss risks.
KQL Query
DeviceProcessEvents | where FileName == "7z.exe" | where ProcessCommandLine contains "ProgramData\\pst"
id: 66d73c14-f888-4748-a0ae-609577fcb51f
name: 7-zip-prep-for-exfiltration
description: |
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links:
1. CVE-2021-26855
2. CVE-2021-26857
3. CVE-2021-26858
4. CVE-2021-27065
The following query detects 7-zip activity associated with this threat. 7-ZIP is a legitimate tool used for file archiving; however, unusual 7-ZIP activity combined with other evidence might indicate that an attacker is compressing data for exfiltration.
More queries related to this threat can be found under the See also section of this page.
Reference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Exfiltration
query: |
DeviceProcessEvents | where FileName == "7z.exe" | where ProcessCommandLine contains "ProgramData\\pst"
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: 7-Zip is used for legitimate archive creation
Filter/Exclusion: process.name != "7z.exe" or process.name contains "7-Zip" and process.args contains "a" (archive command)
Scenario: System administrator is compressing logs for backup
Filter/Exclusion: process.name contains "7-Zip" and process.args contains "b" (backup command) or process.args contains "t" (test command)
Scenario: Scheduled job runs 7-Zip to prepare files for transfer
Filter/Exclusion: process.name contains "7-Zip" and process.parent_process contains "schtasks.exe" or process.parent_process contains "task scheduler"
Scenario: 7-Zip is used to extract files during a software installation
Filter/Exclusion: process.name contains "7-Zip" and process.args contains "x" (extract command) or process.args contains "s" (set password)
Scenario: 7-Zip is used to compress files for internal file sharing
Filter/Exclusion: process.name contains "7-Zip" and process.args contains "a" (archive command) and process.args contains "p" (password) or process.args contains "m" (multi-volume)