/
proc_creation_win_winget_local_install_via_manifest.yml
37 lines (37 loc) · 1.59 KB
/
proc_creation_win_winget_local_install_via_manifest.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
title: Install New Package Via Winget Local Manifest
id: 313d6012-51a0-4d93-8dfc-de8553239e25
status: test
description: |
Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them.
The manifest option enables you to install an application by passing in a YAML file directly to the client.
Winget can be used to download and install exe, msi or msix files later.
references:
- https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install
- https://lolbas-project.github.io/lolbas/Binaries/Winget/
- https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
author: Sreeman, Florian Roth (Nextron Systems), frack113
date: 2020/04/21
modified: 2023/04/17
tags:
- attack.defense_evasion
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\winget.exe'
- OriginalFileName: 'winget.exe'
selection_install_flag:
CommandLine|contains:
- 'install'
- ' add ' # https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCLICore/Commands/InstallCommand.h
selection_manifest_flag:
CommandLine|contains:
- '-m '
- '--manifest'
condition: all of selection_*
falsepositives:
- Some false positives are expected in some environment that may use this functionality to install and test their custom applications
level: medium