u-siem 0.7.0

A framework for building custom SIEMs
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

title: Suspicious 7zip Subprocess
id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3
status: experimental
description: 7-Zip through 21.07 on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process.
references:
    - https://github.com/kagancapar/CVE-2022-29072
    - https://twitter.com/kagancapar/status/1515219358234161153
author: frack113
date: 2022/04/17
modified: 2022/11/18
tags:
    - cve.2022.29072
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_parent:
        ParentImage|endswith: '\7zFM.exe'
    filter_bat:
        CommandLine|contains:
            - ' /c '
            - ' /k '
            - ' /r '
    filter_null:
        CommandLine: null
    condition: all of selection_* and not 1 of filter_*
falsepositives:
    - Unknown
level: high