Add New Download Source To Winget
Detects usage of winget to add new additional download sources
Sigma rule (View on GitHub)
1title: Add New Download Source To Winget
2id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842
3related:
4 - id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2
5 type: similar
6 - id: c15a46a0-07d4-4c87-b4b6-89207835a83b
7 type: similar
8status: test
9description: Detects usage of winget to add new additional download sources
10references:
11 - https://learn.microsoft.com/en-us/windows/package-manager/winget/source
12 - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2023-04-17
15tags:
16 - attack.defense-evasion
17 - attack.execution
18 - attack.t1059
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection_img:
24 - Image|endswith: '\winget.exe'
25 - OriginalFileName: 'winget.exe'
26 selection_cli:
27 CommandLine|contains|all:
28 - 'source '
29 - 'add '
30 condition: all of selection_*
31falsepositives:
32 - False positive are expected with legitimate sources
33level: medium
References
Related rules
- Add Insecure Download Source To Winget
- Install New Package Via Winget Local Manifest
- Payload Decoded and Decrypted via Built-in Utilities
- Potential Arbitrary Command Execution Via FTP.EXE
- Potentially Suspicious Execution From Parent Process In Public Folder