Share
## https://sploitus.com/exploit?id=CC1B74B4-FAA4-5715-A78A-D9AFB3AB0AAA





## ๐จ WinRAR CVE-2025-6218 - Sigma Detection Pack
## ๐ฏ Objective
This repository provides production-ready Sigma rules to detect exploitation attempts of the WinRAR directory traversal vulnerability (CVE-2025-6218) on Windows systems.
The vulnerability allows attackers to extract files outside the intended directory, enabling payload drops and persistence mechanisms.
The detection approach follows Sigma best practices:
- Atomic detection rules
- SIEM / SOAR-level correlation
- Cross-platform portability
---
## ๐ CVE Overview
| Field | Value |
|------|-------|
| CVE | CVE-2025-6218 |
| Type | Directory Traversal |
| Product | WinRAR |
| OS | Windows |
| Impact | Arbitrary file write |
---
## ๐ Repository Content
- WinRAR_Path_Traversal_Extraction_CVE-2025-6218.yml
- WinRAR_Persistence_Startup_Write_CVE-2025-6218.yml
- README.md
- README_FR.md
---
## ๐ง Detection Strategy
1. **Initial exploitation detection**
- WinRAR extraction abusing directory traversal patterns
2. **Post-exploitation detection**
- WinRAR writing files into Windows persistence locations
High confidence is achieved when both detections are correlated within a short time window.
---
## โ๏ธ Step-by-Step Conversion Guide
### 1๏ธโฃ Prerequisites
- Sigma CLI v2.x
- Sysmon enabled (recommended)
- Logs ingested into a SIEM
#### Verify installation:
```bash
sigma list pipelines
sigma list targets
```
#### ๐ฅ Rule validation
Validate the rules using Sigma CLI:
```bash
sigma check WinRAR_Path_Traversal_Extraction_CVE-2025-6218.yml
sigma check WinRAR_Persistence_Startup_Write_CVE-2025-6218.yml
```
### 2๏ธโฃ OpenSearch (Sysmon)
```bash
sigma convert -t opensearch_lucene -p sysmon WinRAR_Path_Traversal_Extraction_CVE-2025-6218.yml
sigma convert -t opensearch_lucene -p sysmon WinRAR_Persistence_Startup_Write_CVE-2025-6218.yml
```
### 3๏ธโฃ Elastic (ECS / Winlogbeat)
```bash
sigma convert -t lucene -p ecs_windows WinRAR_Path_Traversal_Extraction_CVE-2025-6218.yml
sigma convert -t lucene -p ecs_windows WinRAR_Persistence_Startup_Write_CVE-2025-6218.yml
```
### 4๏ธโฃ EQL (Elastic Security):
```bash
sigma convert -t eql -p ecs_windows WinRAR_Path_Traversal_Extraction_CVE-2025-6218.yml
sigma convert -t eql -p ecs_windows WinRAR_Persistence_Startup_Write_CVE-2025-6218.yml
```
### 5๏ธโฃ Splunk
```bash
sigma convert -t splunk -p splunk_windows WinRAR_Path_Traversal_Extraction_CVE-2025-6218.yml
sigma convert -t splunk -p splunk_windows WinRAR_Persistence_Startup_Write_CVE-2025-6218.yml
```
### 6๏ธโฃ NetWitness
```bash
sigma convert -t net_witness WinRAR_Path_Traversal_Extraction_CVE-2025-6218.yml
sigma convert -t net_witness WinRAR_Persistence_Startup_Write_CVE-2025-6218.yml
```
---
## ๐งญ Pipeline Selection Guide
| SIEM | Logs | Recommended Pipeline | Target |
|------|------|----------------------|--------|
| OpenSearch | Sysmon | `sysmon` | `opensearch_lucene` |
| Elastic | Winlogbeat (ECS) | `ecs_windows` | `lucene`, `eql` |
| Splunk | Windows Logs | `splunk_windows` | `splunk` |
| SentinelOne | Endpoint Telemetry | *(none)* | `sentinel_one` |
| NetWitness | Windows Logs | *(none)* | `net_witness` |
> โ ๏ธ Choosing the correct pipeline is critical.
> An incorrect pipeline may result in queries that do not match any events.
---
## ๐ Correlation Logic (SIEM / SOAR)
Trigger a HIGH severity alert if:
- Rule 1 AND Rule 2
- Same host (and ideally same user)
- Within 10 minutes
Correlation should be implemented using native SIEM alerting or SOAR playbooks.
---
## ๐งฌ MITRE ATT&CK Mapping
- Initial Access: T1566 (Phishing โ weaponized archive)
- Execution: T1204 (User Execution)
- Persistence: T1547 (Startup Folder / Scheduled Task)
---
## ๐ References
- https://nvd.nist.gov/vuln/detail/CVE-2025-6218
- https://thehackernews.com/2025/12/warning-winrar-vulnerability-cve-2025.html
- https://foresiet.com/blog/apt-c-08-winrar-directory-traversal-exploit/
- https://www.secpod.com/blog/archive-terror-dissecting-the-winrar-cve-2025-6218-exploit-apt-c-08s-stealth-move/
---
## ๐ค Author
**Adama Assiongbon**
SOC / CTI Analyst Consultant
GitHub: https://github.com/hatchepsoout
LinkedIn: https://www.linkedin.com/in/adama-assiongbon-9029893a/
---
## โ ๏ธ Disclaimer
These rules are provided for defensive purposes only. Always test before production deployment.
# Hatchepsoute