Add Potential Suspicious New Download Source To Winget
Detects usage of winget to add new potentially suspicious download sources
Sigma rule (View on GitHub)
1title: Add Potential Suspicious New Download Source To Winget
2id: c15a46a0-07d4-4c87-b4b6-89207835a83b
3related:
4 - id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842
5 type: similar
6 - id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2
7 type: similar
8status: test
9description: Detects usage of winget to add new potentially suspicious download sources
10references:
11 - https://learn.microsoft.com/en-us/windows/package-manager/winget/source
12 - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2023-04-17
15modified: 2023-12-04
16tags:
17 - attack.defense-evasion
18 - attack.execution
19 - attack.t1059
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection_img:
25 - Image|endswith: '\winget.exe'
26 - OriginalFileName: 'winget.exe'
27 selection_cli:
28 CommandLine|contains|all:
29 - 'source '
30 - 'add '
31 selection_source_direct_ip:
32 # This is a best effort. A better way to handle this is to limit it via whitelist. Check Group Policy for more details
33 CommandLine|re: '://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
34 condition: all of selection_*
35falsepositives:
36 - Unknown
37level: medium
References
Related rules
- Elevated System Shell Spawned From Uncommon Parent Location
- Renamed CURL.EXE Execution
- Add Insecure Download Source To Winget
- Add New Download Source To Winget
- Install New Package Via Winget Local Manifest