Share
## https://sploitus.com/exploit?id=CC1B74B4-FAA4-5715-A78A-D9AFB3AB0AAA
![Sigma](https://img.shields.io/badge/Sigma-Rules-blue)
![Windows](https://img.shields.io/badge/Platform-Windows-informational)
![CVE](https://img.shields.io/badge/CVE-2025--6218-critical)
![License](https://img.shields.io/badge/License-MIT-green)
![SOC](https://img.shields.io/badge/Use--case-SOC%20%7C%20CTI-blueviolet)

## ๐Ÿšจ WinRAR CVE-2025-6218 - Sigma Detection Pack

## ๐ŸŽฏ Objective
This repository provides production-ready Sigma rules to detect exploitation attempts of the WinRAR directory traversal vulnerability (CVE-2025-6218) on Windows systems.

The vulnerability allows attackers to extract files outside the intended directory, enabling payload drops and persistence mechanisms.

The detection approach follows Sigma best practices:
- Atomic detection rules
- SIEM / SOAR-level correlation
- Cross-platform portability

---

## ๐Ÿ“Œ CVE Overview

| Field | Value |
|------|-------|
| CVE | CVE-2025-6218 |
| Type | Directory Traversal |
| Product | WinRAR |
| OS | Windows |
| Impact | Arbitrary file write |

---

## ๐Ÿ“‚ Repository Content

- WinRAR_Path_Traversal_Extraction_CVE-2025-6218.yml
- WinRAR_Persistence_Startup_Write_CVE-2025-6218.yml
- README.md
- README_FR.md

---

## ๐Ÿง  Detection Strategy

1. **Initial exploitation detection**
   - WinRAR extraction abusing directory traversal patterns

2. **Post-exploitation detection**
   - WinRAR writing files into Windows persistence locations

High confidence is achieved when both detections are correlated within a short time window.

---

## โš™๏ธ Step-by-Step Conversion Guide

### 1๏ธโƒฃ Prerequisites

- Sigma CLI v2.x
- Sysmon enabled (recommended)
- Logs ingested into a SIEM

#### Verify installation:

```bash
sigma list pipelines
sigma list targets
```
#### ๐Ÿ“ฅ Rule validation

Validate the rules using Sigma CLI:

```bash
sigma check WinRAR_Path_Traversal_Extraction_CVE-2025-6218.yml
sigma check WinRAR_Persistence_Startup_Write_CVE-2025-6218.yml
```
### 2๏ธโƒฃ OpenSearch (Sysmon)

```bash
sigma convert -t opensearch_lucene -p sysmon WinRAR_Path_Traversal_Extraction_CVE-2025-6218.yml
sigma convert -t opensearch_lucene -p sysmon WinRAR_Persistence_Startup_Write_CVE-2025-6218.yml
```

### 3๏ธโƒฃ Elastic (ECS / Winlogbeat)

```bash
sigma convert -t lucene -p ecs_windows WinRAR_Path_Traversal_Extraction_CVE-2025-6218.yml
sigma convert -t lucene -p ecs_windows WinRAR_Persistence_Startup_Write_CVE-2025-6218.yml
```

### 4๏ธโƒฃ EQL (Elastic Security):
```bash
sigma convert -t eql -p ecs_windows WinRAR_Path_Traversal_Extraction_CVE-2025-6218.yml
sigma convert -t eql -p ecs_windows WinRAR_Persistence_Startup_Write_CVE-2025-6218.yml
```

### 5๏ธโƒฃ Splunk

```bash
sigma convert -t splunk -p splunk_windows WinRAR_Path_Traversal_Extraction_CVE-2025-6218.yml
sigma convert -t splunk -p splunk_windows WinRAR_Persistence_Startup_Write_CVE-2025-6218.yml
```

### 6๏ธโƒฃ NetWitness

```bash
sigma convert -t net_witness WinRAR_Path_Traversal_Extraction_CVE-2025-6218.yml
sigma convert -t net_witness WinRAR_Persistence_Startup_Write_CVE-2025-6218.yml
```

---

## ๐Ÿงญ Pipeline Selection Guide

| SIEM | Logs | Recommended Pipeline | Target |
|------|------|----------------------|--------|
| OpenSearch | Sysmon | `sysmon` | `opensearch_lucene` |
| Elastic | Winlogbeat (ECS) | `ecs_windows` | `lucene`, `eql` |
| Splunk | Windows Logs | `splunk_windows` | `splunk` |
| SentinelOne | Endpoint Telemetry | *(none)* | `sentinel_one` |
| NetWitness | Windows Logs | *(none)* | `net_witness` |


> โš ๏ธ Choosing the correct pipeline is critical.  
> An incorrect pipeline may result in queries that do not match any events.

---

## ๐Ÿ”— Correlation Logic (SIEM / SOAR)

Trigger a HIGH severity alert if:
- Rule 1 AND Rule 2
- Same host (and ideally same user)
- Within 10 minutes
Correlation should be implemented using native SIEM alerting or SOAR playbooks.
---
## ๐Ÿงฌ MITRE ATT&CK Mapping

- Initial Access: T1566 (Phishing โ€“ weaponized archive)
- Execution: T1204 (User Execution)
- Persistence: T1547 (Startup Folder / Scheduled Task)
---
## ๐Ÿ”— References

- https://nvd.nist.gov/vuln/detail/CVE-2025-6218  
- https://thehackernews.com/2025/12/warning-winrar-vulnerability-cve-2025.html  
- https://foresiet.com/blog/apt-c-08-winrar-directory-traversal-exploit/  
- https://www.secpod.com/blog/archive-terror-dissecting-the-winrar-cve-2025-6218-exploit-apt-c-08s-stealth-move/
---

## ๐Ÿ‘ค Author

**Adama Assiongbon**  
SOC / CTI Analyst Consultant  

GitHub: https://github.com/hatchepsoout  
LinkedIn: https://www.linkedin.com/in/adama-assiongbon-9029893a/

---

## โš ๏ธ Disclaimer

These rules are provided for defensive purposes only. Always test before production deployment.
# Hatchepsoute