Install New Package Via Winget Local Manifest
Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe, msi or msix files later.
Sigma rule (View on GitHub)
1title: Install New Package Via Winget Local Manifest
2id: 313d6012-51a0-4d93-8dfc-de8553239e25
3status: test
4description: |
5 Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them.
6 The manifest option enables you to install an application by passing in a YAML file directly to the client.
7 Winget can be used to download and install exe, msi or msix files later.
8references:
9 - https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install
10 - https://lolbas-project.github.io/lolbas/Binaries/Winget/
11 - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
12author: Sreeman, Florian Roth (Nextron Systems), frack113
13date: 2020-04-21
14modified: 2023-04-17
15tags:
16 - attack.defense-evasion
17 - attack.execution
18 - attack.t1059
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection_img:
24 - Image|endswith: '\winget.exe'
25 - OriginalFileName: 'winget.exe'
26 selection_install_flag:
27 CommandLine|contains:
28 - 'install'
29 - ' add ' # https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCLICore/Commands/InstallCommand.h
30 selection_manifest_flag:
31 CommandLine|contains:
32 - '-m '
33 - '--manifest'
34 condition: all of selection_*
35falsepositives:
36 - Some false positives are expected in some environment that may use this functionality to install and test their custom applications
37level: medium
References
Related rules
- Add Insecure Download Source To Winget
- Add New Download Source To Winget
- Payload Decoded and Decrypted via Built-in Utilities
- Potential Arbitrary Command Execution Via FTP.EXE
- Potentially Suspicious Execution From Parent Process In Public Folder