Add New Download Source To Winget

 1title: Add New Download Source To Winget
 2id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842
 3related:
 4    - id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2
 5      type: similar
 6    - id: c15a46a0-07d4-4c87-b4b6-89207835a83b
 7      type: similar
 8status: test
 9description: Detects usage of winget to add new additional download sources
10references:
11    - https://learn.microsoft.com/en-us/windows/package-manager/winget/source
12    - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2023-04-17
15tags:
16    - attack.defense-evasion
17    - attack.execution
18    - attack.t1059
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_img:
24        - Image|endswith: '\winget.exe'
25        - OriginalFileName: 'winget.exe'
26    selection_cli:
27        CommandLine|contains|all:
28            - 'source '
29            - 'add '
30    condition: all of selection_*
31falsepositives:
32    - False positive are expected with legitimate sources
33level: medium

References

• The winget source command

  

  Use the winget source command and subcommands to list and manage the repositories Windows Package Manager accesses.

  
  Read More

• Misc-Research/LOLBINs/Winget at b9596e8109dcdb16ec353f316678927e507a5b8d · nasbench/Misc-Research

  

  A collection of tools, scripts and personal research - nasbench/Misc-Research

  
  Read More

Related rules

• Add Insecure Download Source To Winget
• HackTool - Stracciatella Execution
• Install New Package Via Winget Local Manifest
• Payload Decoded and Decrypted via Built-in Utilities
• Potential Arbitrary Command Execution Via FTP.EXE