From 83ca9aa1974bc545b4a4a8a75dd6ebd12a02b8a4 Mon Sep 17 00:00:00 2001 From: saulpanders <34975519+saulpanders@users.noreply.github.com> Date: Tue, 4 Oct 2022 06:27:47 -0400 Subject: [PATCH] Adding Windows Package Manager tool winget.exe (#188) Co-authored-by: Wietze --- yml/OSBinaries/Winget.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 yml/OSBinaries/Winget.yml diff --git a/yml/OSBinaries/Winget.yml b/yml/OSBinaries/Winget.yml new file mode 100644 index 0000000..4e9d4e5 --- /dev/null +++ b/yml/OSBinaries/Winget.yml @@ -0,0 +1,28 @@ +--- +Name: winget.exe +Description: Windows Package Manager tool +Author: Paul Sanders +Created: 2022-01-03 +Commands: + - Command: winget.exe install --manifest manifest.yml + Description: 'Downloads a file from the web address specified in manifest.yml and executes it on the system. Local manifest setting must be enabled in winget for it to work: "winget settings --enable LocalManifestFiles"' + Usecase: Download and execute an arbitrary file from the internet + Category: Execute + Privileges: Local Aministrator - required to enabled local manifest setting + MitreID: T1105 + OperatingSystem: Windows 10, Windows 11 +Full_Path: + - Path: C:\Users\user\AppData\Local\Microsoft\WindowsApps\winget.exe +Code_Sample: + - Code: https://gist.github.com/saulpanders/00e1177602a8c01a3a8bfa932b3886b0 +Detection: + - IOC: winget.exe spawned with local manifest file + - IOC: Sysmon Event ID 1 - Process Creation + - Analysis: https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html + - Sigma: https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml +Resources: + - Link: https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html + - Link: https://docs.microsoft.com/en-us/windows/package-manager/winget/#production-recommended +Acknowledgement: + - Person: Paul + Handle: '@saulpanders'