Add Insecure Download Source To Winget

Detects usage of winget to add a new insecure (http) download source. Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)

Sigma rule (View on GitHub)

 1title: Add Insecure Download Source To Winget
 2id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2
 3related:
 4    - id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842
 5      type: similar
 6    - id: c15a46a0-07d4-4c87-b4b6-89207835a83b
 7      type: similar
 8status: test
 9description: |
10    Detects usage of winget to add a new insecure (http) download source.
11    Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)    
12references:
13    - https://learn.microsoft.com/en-us/windows/package-manager/winget/source
14    - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
15author: Nasreddine Bencherchali (Nextron Systems)
16date: 2023/04/17
17tags:
18    - attack.defense_evasion
19    - attack.execution
20    - attack.t1059
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection_img:
26        - Image|endswith: '\winget.exe'
27        - OriginalFileName: 'winget.exe'
28    selection_cli:
29        CommandLine|contains|all:
30            - 'source '
31            - 'add '
32            - 'http://'
33    condition: all of selection_*
34falsepositives:
35    - False positives might occur if the users are unaware of such control checks
36level: high

References

Related rules

to-top