Skip to content

Hide Navigation Hide TOC

WinRAR Creating Files in Startup Locations (74a2b37d-fea4-41e0-9ac7-c9fbcf1f60cc)

Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder. This kind of behaviour has been associated with exploitation of WinRAR path traversal vulnerability CVE-2025-6218 or CVE-2025-8088.

Cluster A Galaxy A Cluster B Galaxy B Level
WinRAR Creating Files in Startup Locations (74a2b37d-fea4-41e0-9ac7-c9fbcf1f60cc) Sigma-Rules Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2