Install New Package Via Winget Local Manifest

calendar Apr 28, 2026 · attack.execution attack.t1059  ·
Share on: linkedin copy

Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe, msi or msix files later.

Sigma rule (View on GitHub)

 1title: Install New Package Via Winget Local Manifest
 2id: 313d6012-51a0-4d93-8dfc-de8553239e25
 3status: test
 4description: |
 5    Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them.
 6    The manifest option enables you to install an application by passing in a YAML file directly to the client.
 7    Winget can be used to download and install exe, msi or msix files later.    
 8references:
 9    - https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install
10    - https://lolbas-project.github.io/lolbas/Binaries/Winget/
11    - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
12author: Sreeman, Florian Roth (Nextron Systems), frack113
13date: 2020-04-21
14modified: 2023-04-17
15tags:
16    - attack.execution
17    - attack.t1059
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - Image|endswith: '\winget.exe'
24        - OriginalFileName: 'winget.exe'
25    selection_install_flag:
26        CommandLine|contains:
27            - 'install'
28            - ' add ' # https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCLICore/Commands/InstallCommand.h
29    selection_manifest_flag:
30        CommandLine|contains:
31            - '-m '
32            - '--manifest'
33    condition: all of selection_*
34falsepositives:
35    - Some false positives are expected in some environment that may use this functionality to install and test their custom applications
36level: medium

References

Related rules

to-top