Adversaries may use malicious RAR files to deliver payloads, leveraging CVE-2018-15982 to execute arbitrary code on compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential exploitation of outdated Adobe Flash Player vulnerabilities.
KQL Query
DeviceProcessEvents
| where FileName == "cmd.exe"
| where ProcessCommandLine contains @"set path=%ProgramFiles(x86)%\WinRAR;C:\Program Files\WinRAR;"
| where ProcessCommandLine contains @"cd /d %~dp0 & rar.exe e -o+ -r -inul*.rar"
id: dac6bcd8-35c9-4937-88e8-3b1c00dcebe2
name: detect-malicious-rar-extraction
description: |
This query was originally published in the threat analytics report, CVE-2018-15982 exploit attacks.
CVE-2018-15982 is an exploit of Adobe Flash Player, that allows for remote execution of arbitrary code. It has since been patched.
Actors have been observed using this vulnerability in targeted attacks. Exploits for CVE-2018-15982 have also been included in several exploit kits.
In some initial attacks exploiting CVE-2018-15982, attackers sent targets spear-phishing emails. The emails would include an attached RAR archive, which contained a lure document, as well as a second archive disguised as a .jpg file. Opening the document would automatically run an embedded Flash ActiveX control. This, in turn, would call a script containing the exploit. The exploit's ability to run arbitrary code would be employed to unpack and run a payload from the second archive. The payload is a backdoor used both to achieve persistance and for command and control.
The following query detects possible instances of a payload being extracted by the exploit.
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-15982
https://helpx.adobe.com/security/products/flash-player/apsb18-42.html
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Initial access
- Execution
- Persistence
- Command and control
query: |
DeviceProcessEvents
| where FileName == "cmd.exe"
| where ProcessCommandLine contains @"set path=%ProgramFiles(x86)%\WinRAR;C:\Program Files\WinRAR;"
| where ProcessCommandLine contains @"cd /d %~dp0 & rar.exe e -o+ -r -inul*.rar"
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Legitimate RAR file extraction by a system administrator
Description: A system administrator extracts a RAR file containing software updates or configuration files using a tool like 7-Zip or WinRAR.
Filter/Exclusion: Exclude processes initiated by the administrator’s user account or filter by the file path of known legitimate update archives.
Scenario: Scheduled job extracting RAR archives for backup purposes
Description: A scheduled task runs a script that extracts RAR archives as part of a nightly backup process using PowerShell or a batch script.
Filter/Exclusion: Exclude processes associated with the backup service or scheduled task name, such as BackupJob.exe or ScheduledTaskID.
Scenario: User extracting a RAR file containing legitimate software
Description: A user downloads and extracts a RAR file containing a legitimate application or driver, such as VMware Tools or Microsoft .NET Framework.
Filter/Exclusion: Exclude files with known legitimate hashes or file names, or filter by user account that is not typically associated with malicious activity.
Scenario: Internal tool using RAR archives for data transfer
Description: An internal tool or script uses RAR archives to transfer data between servers, such as a custom data migration utility.
Filter/Exclusion: Exclude processes that match the internal tool’s executable name or are initiated from a known internal IP range.
Scenario: Antivirus or endpoint protection tool extracting quarantine files
Description: An endpoint protection tool extracts RAR files that were quarantined as part of a malware cleanup process.
Filter/Exclusion: Exclude processes associated with the endpoint protection software (e.g., McAfee, Kaspersky, or Windows Defender) or filter by the quarantine directory path.