KQL Search

Query Details

HomeAI ToolsDevice Query

7Z To SM Bshare

Query

# Rule : Detection of 7-Zip Archiving to SMB Admin Shares

## Description
This detection rule identifies suspicious usage of **7-Zip** (`7z.exe`, `7za.exe`, `7zr.exe`) to interact with administrative SMB shares such as **C$**, **Admin$**, or **IPC$**. Attackers may use **7-Zip** to compress and archive files before exfiltrating data via network shares. This technique is commonly associated with **lateral movement** and **data exfiltration** in targeted attacks.

In many environments, legitimate use of **7-Zip** does not involve direct interaction with administrative network shares. Therefore, monitoring this behavior can help detect potential misuse by adversaries attempting to stage or exfiltrate data.

- [Splunk Research: 7-Zip Archive Created in SMB Share](https://research.splunk.com/endpoint/01d29b48-ff6f-11eb-b81e-acde48001123/)

## Detection Logic
- **Monitors `DeviceProcessEvents`** where:
  - The `FileName` or `ProcessVersionInfoOriginalFileName` matches:
    - `"7z.exe"`
    - `"7za.exe"`
    - `"7zr.exe"`
  - The `ProcessCommandLine` contains:
    - `"\\C$\\"` (Admin Share)
    - `"\\Admin$\\"` (Administrative Access)
    - `"\\IPC$\\"` (Inter-Process Communication Share)

## Tags
- Data Exfiltration
- Lateral Movement
- SMB Share Monitoring
- Suspicious File Archiving
- Windows Security

## Search Query
```kql
DeviceProcessEvents
| where FileName in ("7z.exe", "7za.exe", "7zr.exe") 
   or ProcessVersionInfoOriginalFileName in ("7z.exe", "7za.exe", "7zr.exe")
| where ProcessCommandLine has_any ("\\C$\\", "\\Admin$\\", "\\IPC$\\")
```

Explanation

This query is designed to detect potentially suspicious activity involving the use of the 7-Zip software to interact with administrative network shares on Windows systems. It specifically looks for instances where 7-Zip executable files (7z.exe, 7za.exe, or 7zr.exe) are used in a way that involves accessing special administrative shares like C$, Admin$, or IPC$. These shares are typically used for administrative purposes and are not usually accessed by 7-Zip in normal operations.

The purpose of this detection is to identify possible malicious behavior, such as an attacker using 7-Zip to compress and prepare files for unauthorized transfer over the network. This kind of activity is often associated with lateral movement within a network and data exfiltration attempts.

The query works by monitoring DeviceProcessEvents for processes that match the specified 7-Zip executables and checking if their command lines include references to the administrative shares. If such activity is detected, it could indicate an attempt to misuse 7-Zip for malicious purposes.

Details

Ali Hussein profile picture

Ali Hussein

Released: March 18, 2025

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsFileNameProcessVersionInfoOriginalFileNameProcessCommandLineSMBShareWindowsSecurity

Operators

|whereinorhas_any

Actions