Merge pull request #196 from martyav/winrar-exploit

added files related to cve-2018-20250

Author: tali-ash

Exploits/winrar-cve-2018-20250-ace-files.md

@@ -0,0 +1,49 @@
+# Detect .ace files associated with WinRAR absolute path transversal exploit, CVE-2018-20250
+
+This query was originally published in the threat analytics report, *WinRAR CVE-2018-20250 exploit*
+
+WinRAR is a third-party file compressing application. Versions 5.61 and earlier contained a flaw that could be exploited by an attacker to read and write to an arbitrary path on the target's system. This could be used to run arbitrary code, overwrite system files, or access sensitive information. This vulnerability was designated [CVE-2018-20250](https://nvd.nist.gov/vuln/detail/CVE-2018-20250), and it is associated an outdated version of the legacy ACE compression library, `unacev2.dll`.
+
+The following query detects possible CVE-2020-20250 exploitation by looking for files with the *.ace* extension.
+
+## Query
+
+```Kusto
+//Query for .ace files
+DeviceFileEvents
+| where Timestamp > ago(7d)
+//Look for ACE files
+| where FileName endswith ".ace"
+//Exclude clean ACE files used by Trend Micro
+| where FolderPath !contains @'\Trend Micro'
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution | v |  |
+| Persistence |  |  |
+| Privilege escalation |  |  |
+| Defense evasion |  |  |
+| Credential Access |  |  |
+| Discovery |  |  |
+| Lateral movement | v |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact | v |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## See also
+
+[File creation with WinRAR absolute path transversal exploit, CVE-2018-20250](winrar-cve-2018-20250-file-creation.md)
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team

Exploits/winrar-cve-2018-20250-file-creation.md

@@ -0,0 +1,50 @@
+# File creation with WinRAR absolute path transversal exploit, CVE-2018-20250
+
+This query was originally published in the threat analytics report, *WinRAR CVE-2018-20250 exploit*
+
+WinRAR is a third-party file compressing application. Versions 5.61 and earlier contained a flaw that could be exploited by an attacker to read and write to an arbitrary path on the target's system. This could be used to run arbitrary code, overwrite system files, or access sensitive information. This vulnerability was designated [CVE-2018-20250](https://nvd.nist.gov/vuln/detail/CVE-2018-20250), and it is associated an outdated version of the legacy ACE compression library, `unacev2.dll`.
+
+The following query detects possible CVE-2020-20250 exploitation by looking for files created in the Startup folder.
+
+## Query
+
+```Kusto
+//Query for WinRAR file creation in the Startup folder
+DeviceFileEvents
+| where Timestamp > ago(7d)
+//Look for WinRAR as the initiating process or a commandline that has ".rar" 
+| where (InitiatingProcessFileName =~ "winrar.exe" 
+or InitiatingProcessCommandLine contains ".rar") 
+//Check for the file in the Startup folder
+and FolderPath contains "Programs\\Startup"
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution | v |  |
+| Persistence |  |  |
+| Privilege escalation |  |  |
+| Defense evasion |  |  |
+| Credential Access |  |  |
+| Discovery |  |  |
+| Lateral movement | v |  |
+| Collection |  |  |
+| Command and control |  |  |
+| Exfiltration |  |  |
+| Impact | v |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## See also
+
+[Detect .ace files associated with WinRAR absolute path transversal exploit, CVE-2018-20250](winrar-cve-2018-20250-ace-files.md)
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team