EXPLORE
Sign In
← Back to Explore
kqlHunting

File creation with WinRAR absolute path transversal exploit, CVE-2018-20250

This query was originally published in the threat analytics report, *WinRAR CVE-2018-20250 exploit*

Detection Query

//Query for WinRAR file creation in the Startup folder
DeviceFileEvents
| where Timestamp > ago(7d)
//Look for WinRAR as the initiating process or a commandline that has ".rar" 
| where (InitiatingProcessFileName =~ "winrar.exe" 
or InitiatingProcessCommandLine contains ".rar") 
//Check for the file in the Startup folder
and FolderPath contains "Programs\\Startup"

Data Sources

DeviceFileEvents

Platforms

windows

Tags

exploits
Raw Content
# File creation with WinRAR absolute path transversal exploit, CVE-2018-20250

This query was originally published in the threat analytics report, *WinRAR CVE-2018-20250 exploit*

WinRAR is a third-party file compressing application. Versions 5.61 and earlier contained a flaw that could be exploited by an attacker to read and write to an arbitrary path on the target's system. This could be used to run arbitrary code, overwrite system files, or access sensitive information. This vulnerability was designated [CVE-2018-20250](https://nvd.nist.gov/vuln/detail/CVE-2018-20250), and it is associated an outdated version of the legacy ACE compression library, `unacev2.dll`.

The following query detects possible CVE-2020-20250 exploitation by looking for files created in the Startup folder.

## Query

```Kusto
//Query for WinRAR file creation in the Startup folder
DeviceFileEvents
| where Timestamp > ago(7d)
//Look for WinRAR as the initiating process or a commandline that has ".rar" 
| where (InitiatingProcessFileName =~ "winrar.exe" 
or InitiatingProcessCommandLine contains ".rar") 
//Check for the file in the Startup folder
and FolderPath contains "Programs\\Startup"
```

## Category

This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.

| Technique, tactic, or state | Covered? (v=yes) | Notes |
|-|-|-|
| Initial access |  |  |
| Execution | v |  |
| Persistence |  |  |
| Privilege escalation |  |  |
| Defense evasion |  |  |
| Credential Access |  |  |
| Discovery |  |  |
| Lateral movement | v |  |
| Collection |  |  |
| Command and control |  |  |
| Exfiltration |  |  |
| Impact | v |  |
| Vulnerability |  |  |
| Misconfiguration |  |  |
| Malware, component |  |  |

## See also

[Detect .ace files associated with WinRAR absolute path transversal exploit, CVE-2018-20250](winrar-cve-2018-20250-ace-files.md)

## Contributor info

**Contributor:** Microsoft Threat Protection team