Skip to content

Hide Navigation Hide TOC

WinRAR Creating Files in Startup Locations (74a2b37d-fea4-41e0-9ac7-c9fbcf1f60cc)

Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder. This kind of behaviour has been associated with exploitation of WinRAR path traversal vulnerability CVE-2025-6218 or CVE-2025-8088.

Cluster A Galaxy A Cluster B Galaxy B Level
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern WinRAR Creating Files in Startup Locations (74a2b37d-fea4-41e0-9ac7-c9fbcf1f60cc) Sigma-Rules 1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2