WinRAR creating files in Windows startup locations suggests an adversary is attempting to establish persistence by leveraging the Startup folder to execute malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential persistence mechanisms used by advanced threats.
Detection Rule
title: WinRAR Creating Files in Startup Locations
id: 74a2b37d-fea4-41e0-9ac7-c9fbcf1f60cc
status: experimental
description: |
Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder.
This kind of behaviour has been associated with exploitation of WinRAR path traversal vulnerability CVE-2025-6218 or CVE-2025-8088.
references:
- https://github.com/mulwareX/CVE-2025-6218-POC
- https://x.com/0x534c/status/1944694507787710685
- https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-16
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- '\WinRAR.exe'
- '\Rar.exe'
TargetFilename|contains: '\Start Menu\Programs\Startup\'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where (TargetFilePath endswith "\\WinRAR.exe" or TargetFilePath endswith "\\Rar.exe") and TargetFileName contains "\\Start Menu\\Programs\\Startup\\"Scenario: System Administrator Deploys a Legitimate Script via WinRAR
Description: An admin uses WinRAR to package a legitimate script (e.g., setup.exe) and places it in the Startup folder as part of a deployment process.
Filter/Exclusion: Check for the presence of known admin tools or deployment scripts (e.g., setup.exe, deploy.bat) in the file path or content. Exclude files signed by trusted publishers or those located in known deployment directories (e.g., C:\Windows\Temp).
Scenario: Scheduled Job Uses WinRAR to Generate Reports in Startup Folder
Description: A scheduled task uses WinRAR to generate compressed reports and stores them in the Startup folder for quick access.
Filter/Exclusion: Exclude files with .zip or .rar extensions created by known reporting tools (e.g., report_generator.exe) or within scheduled task directories (e.g., C:\Windows\Tasks).
Scenario: IT Team Uses WinRAR to Distribute Configuration Files to Startup Folder
Description: IT uses WinRAR to bundle configuration files and place them in the Startup folder to ensure they load on system boot.
Filter/Exclusion: Exclude files with known IT tool signatures (e.g., config_utils.exe) or files located in IT-specific directories (e.g., C:\IT_Config).
Scenario: User Installs a Legitimate Application That Uses WinRAR for Setup
Description: A user installs a legitimate application (e.g., Adobe Acrobat) that uses WinRAR for its installation package, and the installer places a temporary file in the Startup folder during setup.
Filter/Exclusion: Exclude files associated with known software installers (e.g., AcroRd32.exe) or files with temporary file extensions (e.g., .tmp, .log