Add Potential Suspicious New Download Source To Winget

 1title: Add Potential Suspicious New Download Source To Winget
 2id: c15a46a0-07d4-4c87-b4b6-89207835a83b
 3related:
 4    - id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842
 5      type: similar
 6    - id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2
 7      type: similar
 8status: test
 9description: Detects usage of winget to add new potentially suspicious download sources
10references:
11    - https://learn.microsoft.com/en-us/windows/package-manager/winget/source
12    - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2023-04-17
15modified: 2023-12-04
16tags:
17    - attack.execution
18    - attack.t1059
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_img:
24        - Image|endswith: '\winget.exe'
25        - OriginalFileName: 'winget.exe'
26    selection_cli:
27        CommandLine|contains|all:
28            - 'source '
29            - 'add '
30    selection_source_direct_ip:
31        # This is a best effort. A better way to handle this is to limit it via whitelist. Check Group Policy for more details
32        CommandLine|re: '://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
33    condition: all of selection_*
34falsepositives:
35    - Unknown
36level: medium

References

• https://learn.microsoft.com/en-us/windows/package-manager/winget/source

  
  Read More

• https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget

  
  Read More

Related rules

• Add Insecure Download Source To Winget
• Add New Download Source To Winget
• Elevated System Shell Spawned From Uncommon Parent Location
• HackTool - Stracciatella Execution
• Hacktool Ruler