Adversaries may exploit the WinRAR CVE-2018-20250 vulnerability to create arbitrary files and execute malicious code through crafted archive files. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential exploitation of outdated WinRAR installations and mitigate lateral movement or persistence risks.
KQL Query
//Query for WinRAR file creation in the Startup folder
DeviceFileEvents
| where Timestamp > ago(7d)
//Look for WinRAR as the initiating process or a commandline that has ".rar"
| where (InitiatingProcessFileName =~ "winrar.exe"
or InitiatingProcessCommandLine contains ".rar")
//Check for the file in the Startup folder
and FolderPath contains "Programs\\Startup"
id: 04eaf822-d364-4434-b2c8-a6378d97f192
name: winrar-cve-2018-20250-file-creation
description: |
This query was originally published in the threat analytics report, WinRAR CVE-2018-20250 exploit
WinRAR is a third-party file compressing application. Versions 5.61 and earlier contained a flaw that could be exploited by an attacker to read and write to an arbitrary path on the target's system. This could be used to run arbitrary code, overwrite system files, or access sensitive information. This vulnerability was designated CVE-2018-20250, and it is associated an outdated version of the legacy ACE compression library, 'unacev2.dll'.
The following query detects possible CVE-2020-20250 exploitation by looking for files created in the Startup folder.
Reference - https://nvd.nist.gov/vuln/detail/CVE-2018-20250
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
tactics:
- Execution
- Lateral movement
- Impact
query: |
//Query for WinRAR file creation in the Startup folder
DeviceFileEvents
| where Timestamp > ago(7d)
//Look for WinRAR as the initiating process or a commandline that has ".rar"
| where (InitiatingProcessFileName =~ "winrar.exe"
or InitiatingProcessCommandLine contains ".rar")
//Check for the file in the Startup folder
and FolderPath contains "Programs\\Startup"
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate use of WinRAR for file compression
Description: A system administrator uses WinRAR to compress files for archival or backup purposes.
Filter/Exclusion: Exclude processes where the parent process is explorer.exe or cmd.exe and the file path contains known archive directories (e.g., C:\Archives\, D:\Backups\).
Example Filter: process.parent_process != "explorer.exe" and process.file_path contains "Archives"
Scenario: Scheduled job using WinRAR to process files
Description: A scheduled task runs WinRAR to automate file compression or extraction.
Filter/Exclusion: Exclude processes where the parent process is schtasks.exe or task scheduler and the file path is within a known job directory (e.g., C:\ScheduledTasks\).
Example Filter: process.parent_process == "schtasks.exe" or process.file_path contains "ScheduledTasks"
Scenario: User extracting files using WinRAR
Description: A user extracts files using WinRAR, which may trigger the rule due to file creation behavior.
Filter/Exclusion: Exclude processes where the user is a regular user and the file path is within a user-specific directory (e.g., C:\Users\%username%\Downloads\).
Example Filter: process.user != "SYSTEM" and process.file_path contains "Downloads"
Scenario: Antivirus or endpoint protection tool using WinRAR
Description: An endpoint protection tool or antivirus may use WinRAR for quarantine or analysis of compressed files.
Filter/Exclusion: Exclude processes where the parent process is a known security tool (e.g., avgnt.exe, mcafee.exe, bitdefender.exe) or the file path contains a security tool directory.