From ea4d2a87b0ed2cbf53fe3a8557e5474e25d4418f Mon Sep 17 00:00:00 2001
From: Fred Cyber Security <fredrikcyber@gmail.com>
Date: Sun, 1 Jun 2025 14:15:55 +0200
Subject: [PATCH] Update Winget.yml (#436)

Co-authored-by: Wietze <wietze@users.noreply.github.com>
---
 yml/OSBinaries/Winget.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/yml/OSBinaries/Winget.yml b/yml/OSBinaries/Winget.yml
index 6c2239b..59c9cfa 100644
--- a/yml/OSBinaries/Winget.yml
+++ b/yml/OSBinaries/Winget.yml
@@ -21,6 +21,13 @@ Commands:
     Privileges: User
     MitreID: T1105
     OperatingSystem: Windows 10, Windows 11
+  - Command: winget.exe install --accept-package-agreements -s msstore {name or ID}
+    Description: 'Download and install any software from the Microsoft Store using its name or Store ID, even if the Microsoft Store App itself is blocked on the machine, and even if AppLocker is active on the machine. For example, use "Sysinternals Suite" or `9p7knl5rwt25` for obtaining ProcDump, PsExec via the Sysinternals Suite. Note: a Microsoft account is required for this.'
+    Usecase: Download and install software from Microsoft Store, even if Microsoft Store App is blocked, and AppLocker is activated on the machine
+    Category: AWL Bypass
+    Privileges: User
+    MitreID: T1105
+    OperatingSystem: Windows 10, Windows 11
 Full_Path:
   - Path: C:\Users\user\AppData\Local\Microsoft\WindowsApps\winget.exe
 Code_Sample:
@@ -33,7 +40,9 @@ Detection:
 Resources:
   - Link: https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html
   - Link: https://docs.microsoft.com/en-us/windows/package-manager/winget/#production-recommended
+  - Link: https://www.youtube.com/watch?v=zuL7x4Wltto
 Acknowledgement:
   - Person: Paul
     Handle: '@saulpanders'
   - Person: Konrad 'unrooted' Klawikowski
+  - Person: Fredrik H. Brathen