Detect .ace files associated with WinRAR absolute path transversal exploit, CVE-2018-20250

# Detect .ace files associated with WinRAR absolute path transversal exploit, CVE-2018-20250

This query was originally published in the threat analytics report, *WinRAR CVE-2018-20250 exploit*

WinRAR is a third-party file compressing application. Versions 5.61 and earlier contained a flaw that could be exploited by an attacker to read and write to an arbitrary path on the target's system. This could be used to run arbitrary code, overwrite system files, or access sensitive information. This vulnerability was designated [CVE-2018-20250](https://nvd.nist.gov/vuln/detail/CVE-2018-20250), and it is associated an outdated version of the legacy ACE compression library, `unacev2.dll`.

The following query detects possible CVE-2020-20250 exploitation by looking for files with the *.ace* extension.

## Query

```Kusto
//Query for .ace files
DeviceFileEvents
| where Timestamp > ago(7d)
//Look for ACE files
| where FileName endswith ".ace"
//Exclude clean ACE files used by Trend Micro
| where FolderPath !contains @'\Trend Micro'
```

## Category

This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.

| Technique, tactic, or state | Covered? (v=yes) | Notes |
|-|-|-|
| Initial access |  |  |
| Execution | v |  |
| Persistence |  |  |
| Privilege escalation |  |  |
| Defense evasion |  |  |
| Credential Access |  |  |
| Discovery |  |  |
| Lateral movement | v |  |
| Collection |  |  |
| Command and control |  |  |
| Exfiltration |  |  |
| Impact | v |  |
| Vulnerability |  |  |
| Misconfiguration |  |  |
| Malware, component |  |  |

## See also

[File creation with WinRAR absolute path transversal exploit, CVE-2018-20250](winrar-cve-2018-20250-file-creation.md)

## Contributor info

**Contributor:** Microsoft Threat Protection team