Adversaries may exploit the WinRAR CVE-2018-20250 vulnerability to execute arbitrary code through specially crafted ACE files, leveraging compromised or unpatched systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential exploitation attempts and mitigate the risk of persistent, stealthy malware deployment.
KQL Query
//Query for .ace files
DeviceFileEvents
| where Timestamp > ago(7d)
//Look for ACE files
| where FileName endswith ".ace"
//Exclude clean ACE files used by Trend Micro
| where FolderPath !contains @'\Trend Micro'
id: 8320de94-2411-4748-9329-e1543f257323
name: winrar-cve-2018-20250-ace-files
description: |
This query was originally published in the threat analytics report, WinRAR CVE-2018-20250 exploit
WinRAR is a third-party file compressing application. Versions 5.61 and earlier contained a flaw that could be exploited by an attacker to read and write to an arbitrary path on the target's system. This could be used to run arbitrary code, overwrite system files, or access sensitive information. This vulnerability was designated CVE-2018-20250, and it is associated an outdated version of the legacy ACE compression library, 'unacev2.dll'.
The following query detects possible CVE-2020-20250 exploitation by looking for files with the .ace extension.
Reference - https://nvd.nist.gov/vuln/detail/CVE-2018-20250
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
tactics:
- Execution
- Lateral movement
- Impact
query: |
//Query for .ace files
DeviceFileEvents
| where Timestamp > ago(7d)
//Look for ACE files
| where FileName endswith ".ace"
//Exclude clean ACE files used by Trend Micro
| where FolderPath !contains @'\Trend Micro'
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Legitimate use of WinRAR for file compression
Description: A user or administrator is using WinRAR to compress files as part of routine data management or backup processes.
Filter/Exclusion: Exclude processes where the parent process is explorer.exe or cmd.exe and the file path contains known legitimate compression directories (e.g., C:\Users\*\Documents\Archives).
Scenario: Scheduled job for automated file archiving
Description: A system administrator has configured a scheduled task to archive log files or temporary data using WinRAR.
Filter/Exclusion: Exclude processes where the command line includes -v (volume size) or -m (compression method) flags, and the file path matches known job directories (e.g., C:\ScheduledTasks\ArchiveLogs).
Scenario: Admin task involving file extraction
Description: An administrator is extracting files from a RAR archive as part of a system maintenance or software deployment task.
Filter/Exclusion: Exclude processes where the command line includes -x (exclude files) or -y (overwrite without prompt), and the file path is within a known admin tools directory (e.g., C:\Windows\System32\ or C:\Program Files\).
Scenario: Use of WinRAR in a development environment
Description: A developer is using WinRAR to manage project archives or version control artifacts.
Filter/Exclusion: Exclude processes where the user account is a developer account (e.g., DevUser) and the file path is within a development directory (e.g., C:\Dev\Projects\).
Scenario: File compression during backup operations
Description: A backup tool or script is using WinRAR to compress data before transferring it to a remote server or cloud storage.