Potential Suspicious Winget Package Installation

Mar 1, 2024 · attack.defense_evasion attack.persistence ·

Detects potential suspicious winget package installation from a suspicious source.

Sigma rule (View on GitHub)

 1title: Potential Suspicious Winget Package Installation
 2id: a3f5c081-e75b-43a0-9f5b-51f26fe5dba2
 3status: test
 4description: Detects potential suspicious winget package installation from a suspicious source.
 5references:
 6    - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/04/18
 9tags:
10    - attack.defense_evasion
11    - attack.persistence
12logsource:
13    product: windows
14    category: create_stream_hash
15detection:
16    selection:
17        Contents|startswith: '[ZoneTransfer]  ZoneId=3'
18        Contents|contains:
19            # Note: Add any untrusted sources that are custom to your env
20            - '://1'
21            - '://2'
22            - '://3'
23            - '://4'
24            - '://5'
25            - '://6'
26            - '://7'
27            - '://8'
28            - '://9'
29        TargetFilename|endswith: ':Zone.Identifier'
30        TargetFilename|contains: '\AppData\Local\Temp\WinGet\'
31    condition: selection
32falsepositives:
33    - Unknown
34level: high

References

Misc-Research/LOLBINs/Winget at b9596e8109dcdb16ec353f316678927e507a5b8d · nasbench/Misc-Research

A collection of tools, scripts and personal research - nasbench/Misc-Research

Read More

Potential Suspicious Winget Package Installation

Sigma rule (View on GitHub)

References

Misc-Research/LOLBINs/Winget at b9596e8109dcdb16ec353f316678927e507a5b8d · nasbench/Misc-Research

Related rules