Sigma rules · CVE-2015-5663 · threatengine.sh

Home/CVE-2015-5663/Sigma rules

Sigma

Sigma rules for CVE-2015-5663

4 rules · scoped to cve · back to CVE-2015-5663

Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

◈

Detection rules

4 of 4

direct high

WinRAR Creating Files in Startup Locations

Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder. This kind of behaviour has been associated with exploitation of WinRAR path traversal vulnerability CVE-2025-6218 or CVE-2025-8088.

status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id 74a2b37d-fea4-41e0-9ac7-c9fbcf1f60cc license Sigma · DRL-1.1

view Sigma YAML

title: WinRAR Creating Files in Startup Locations
id: 74a2b37d-fea4-41e0-9ac7-c9fbcf1f60cc
status: experimental
description: |
    Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder.
    This kind of behaviour has been associated with exploitation of WinRAR path traversal vulnerability CVE-2025-6218 or CVE-2025-8088.
references:
    - https://github.com/mulwareX/CVE-2025-6218-POC
    - https://x.com/0x534c/status/1944694507787710685
    - https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-16
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1547.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith:
            - '\WinRAR.exe'
            - '\Rar.exe'
        TargetFilename|contains: '\Start Menu\Programs\Startup\'
    condition: selection
falsepositives:
    - Unknown
level: high

direct medium

WinRAR Execution in Non-Standard Folder

Detects a suspicious WinRAR execution in a folder which is not the default installation folder

status test author Florian Roth (Nextron Systems), Tigzy id 4ede543c-e098-43d9-a28f-dd784a13132f license Sigma · DRL-1.1

view Sigma YAML

title: WinRAR Execution in Non-Standard Folder
id: 4ede543c-e098-43d9-a28f-dd784a13132f
status: test
description: Detects a suspicious WinRAR execution in a folder which is not the default installation folder
references:
    - https://twitter.com/cyb3rops/status/1460978167628406785
author: Florian Roth (Nextron Systems), Tigzy
date: 2021-11-17
modified: 2025-07-16
tags:
    - attack.collection
    - attack.t1560.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith:
              - '\rar.exe'
              - '\winrar.exe'
        - Description:
              - 'Command line RAR'
              - 'WinRAR'
    filter_main_unrar:
        # Note: we filter unrar as it has the same description as the other utilities, and we're only interested in compression
        Image|endswith: '\UnRAR.exe'
    filter_main_path:
        Image|contains:
            - ':\Program Files (x86)\WinRAR\'
            - ':\Program Files\WinRAR\'
    filter_optional_temp:
        # Note: in some occasion installers were seen dropping "rar" in TEMP
        Image|contains: ':\Windows\Temp\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate use of WinRAR in a folder of a software that bundles WinRAR
level: medium

direct medium

Potentially Suspicious Child Process Of WinRAR.EXE

Detects potentially suspicious child processes of WinRAR.exe.

status test author Nasreddine Bencherchali (Nextron Systems) id 146aace8-9bd6-42ba-be7a-0070d8027b76 license Sigma · DRL-1.1

view Sigma YAML

title: Potentially Suspicious Child Process Of WinRAR.EXE
id: 146aace8-9bd6-42ba-be7a-0070d8027b76
related:
    - id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343
      type: similar
status: test
description: Detects potentially suspicious child processes of WinRAR.exe.
references:
    - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
    - https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-31
tags:
    - attack.execution
    - attack.t1203
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\WinRAR.exe'
    selection_binaries:
        # Note: add additional binaries that the attacker might use
        - Image|endswith:
              - '\cmd.exe'
              - '\cscript.exe'
              - '\mshta.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\regsvr32.exe'
              - '\rundll32.exe'
              - '\wscript.exe'
        - OriginalFileName:
              - 'Cmd.Exe'
              - 'cscript.exe'
              - 'mshta.exe'
              - 'PowerShell.EXE'
              - 'pwsh.dll'
              - 'regsvr32.exe'
              - 'RUNDLL32.EXE'
              - 'wscript.exe'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

direct medium

Winrar Compressing Dump Files

Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.

status test author Florian Roth (Nextron Systems) id 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc license Sigma · DRL-1.1

view Sigma YAML

title: Winrar Compressing Dump Files
id: 1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc
related:
    - id: ec570e53-4c76-45a9-804d-dc3f355ff7a7
      type: similar
status: test
description: Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
references:
    - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
author: Florian Roth (Nextron Systems)
date: 2022-01-04
modified: 2023-09-12
tags:
    - attack.collection
    - attack.t1560.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\rar.exe'
              - '\winrar.exe'
        - Description: 'Command line RAR'
    selection_extension:
        CommandLine|contains:
            - '.dmp'
            - '.dump'
            - '.hdmp'
    condition: all of selection_*
falsepositives:
    - Legitimate use of WinRAR with a command line in which ".dmp" or ".dump" appears accidentally
    - Legitimate use of WinRAR to compress WER ".dmp" files for troubleshooting
level: medium

Showing 1-4 of 4

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin