An adversary may be leveraging CVE-2018-20250 to exploit a malicious ACE archive and execute arbitrary code on a system. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential exploitation of this known vulnerability before it leads to a compromise.
YARA Rule
rule CVE_2018_20250 : AceArchive UNACEV2_DLL_EXP
{
meta:
description = "Generic rule for hostile ACE archive using CVE-2018-20250"
author = "xylitol@temari.fr"
date = "2019-03-17"
reference = "https://research.checkpoint.com/extracting-code-execution-from-winrar/"
// May only the challenge guide you
strings:
$string1 = "**ACE**" ascii wide
$string2 = "*UNREGISTERED VERSION*" ascii wide
// $hexstring1 = C:\C:\
$hexstring1 = {?? 3A 5C ?? 3A 5C}
// $hexstring2 = C:\C:C:..
$hexstring2 = {?? 3A 5C ?? 3A ?? 3A 2E}
condition:
$string1 at 7 and $string2 at 31 and 1 of ($hexstring*)
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to automate the cleanup of old ACE archives as part of a routine maintenance task.
Filter/Exclusion: Exclude processes initiated by the administrator’s user account (e.g., username) or filter by command-line arguments containing Cleanup or DeleteOldArchives.
Scenario: A scheduled job runs nightly to archive logs using 7-Zip or WinRAR for compliance purposes.
Filter/Exclusion: Exclude processes with a CommandLine containing --archive or --compress, or filter by the job name or scheduled task ID.
Scenario: A third-party tool like Veeam Backup & Replication is compressing and archiving virtual machine files, which may trigger the rule due to ACE archive activity.
Filter/Exclusion: Exclude processes associated with the Veeam service or filter by the process name veeam.exe or vmbackup.exe.
Scenario: A developer is using 7-Zip to package application binaries for deployment, which involves creating ACE archives.
Filter/Exclusion: Exclude processes initiated by the developer’s user account or filter by command-line arguments containing package, build, or deploy.
Scenario: A Windows Update or System File Checker (SFC) operation temporarily creates ACE archives during file integrity checks.
Filter/Exclusion: Exclude processes with svchost.exe or wuauserv.exe or filter by the presence of Windows Update or System File Checker in the command line.