WinRAR Creating Files in Startup Locations
Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder. This kind of behaviour has been associated with exploitation of WinRAR path traversal vulnerability CVE-2025-6218 or CVE-2025-8088.
Sigma rule (View on GitHub)
1title: WinRAR Creating Files in Startup Locations
2id: 74a2b37d-fea4-41e0-9ac7-c9fbcf1f60cc
3status: experimental
4description: |
5 Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder.
6 This kind of behaviour has been associated with exploitation of WinRAR path traversal vulnerability CVE-2025-6218 or CVE-2025-8088.
7references:
8 - https://github.com/mulwareX/CVE-2025-6218-POC
9 - https://x.com/0x534c/status/1944694507787710685
10 - https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/
11author: Swachchhanda Shrawan Poudel (Nextron Systems)
12date: 2025-07-16
13tags:
14 - attack.privilege-escalation
15 - attack.persistence
16 - attack.t1547.001
17logsource:
18 category: file_event
19 product: windows
20detection:
21 selection:
22 Image|endswith:
23 - '\WinRAR.exe'
24 - '\Rar.exe'
25 TargetFilename|contains: '\Start Menu\Programs\Startup\'
26 condition: selection
27falsepositives:
28 - Unknown
29level: high
References
-
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
ESET Research discover a zero-day vulnerability in WinRAR being exploited in the wild in the guise of job application documents.
Read More
Related rules
- Classes Autorun Keys Modification
- Common Autorun Keys Modification
- CurrentControlSet Autorun Keys Modification
- CurrentVersion Autorun Keys Modification
- CurrentVersion NT Autorun Keys Modification