← Back to Explore
sigmahighHunting
WinRAR Creating Files in Startup Locations
Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder. This kind of behaviour has been associated with exploitation of WinRAR path traversal vulnerability CVE-2025-6218 or CVE-2025-8088.
Detection Query
selection:
Image|endswith:
- \WinRAR.exe
- \Rar.exe
TargetFilename|contains: \Start Menu\Programs\Startup\
condition: selection
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Created
2025-07-16
Data Sources
windowsFile Events
Platforms
windows
References
Tags
attack.privilege-escalationattack.persistenceattack.t1547.001
Raw Content
title: WinRAR Creating Files in Startup Locations
id: 74a2b37d-fea4-41e0-9ac7-c9fbcf1f60cc
status: experimental
description: |
Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder.
This kind of behaviour has been associated with exploitation of WinRAR path traversal vulnerability CVE-2025-6218 or CVE-2025-8088.
references:
- https://github.com/mulwareX/CVE-2025-6218-POC
- https://x.com/0x534c/status/1944694507787710685
- https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-16
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\WinRAR.exe'
- '\Rar.exe'
TargetFilename|contains: '\Start Menu\Programs\Startup\'
condition: selection
falsepositives:
- Unknown
level: high