Add Potential Suspicious New Download Source To Winget

Detects usage of winget to add new potentially suspicious download sources

Sigma rule (View on GitHub)

 1title: Add Potential Suspicious New Download Source To Winget
 2id: c15a46a0-07d4-4c87-b4b6-89207835a83b
 3related:
 4    - id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842
 5      type: similar
 6    - id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2
 7      type: similar
 8status: test
 9description: Detects usage of winget to add new potentially suspicious download sources
10references:
11    - https://learn.microsoft.com/en-us/windows/package-manager/winget/source
12    - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2023-04-17
15modified: 2023-12-04
16tags:
17    - attack.defense-evasion
18    - attack.execution
19    - attack.t1059
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_img:
25        - Image|endswith: '\winget.exe'
26        - OriginalFileName: 'winget.exe'
27    selection_cli:
28        CommandLine|contains|all:
29            - 'source '
30            - 'add '
31    selection_source_direct_ip:
32        # This is a best effort. A better way to handle this is to limit it via whitelist. Check Group Policy for more details
33        CommandLine|re: '://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
34    condition: all of selection_*
35falsepositives:
36    - Unknown
37level: medium

References

Related rules

to-top