---
Name: winget.exe
Description: Windows Package Manager tool
Author: Paul Sanders
Created: 2022-01-03
Commands:
  - Command: winget.exe install --manifest manifest.yml
    Description: 'Downloads a file from the web address specified in manifest.yml and executes it on the system. Local manifest setting must be enabled in winget for it to work: "winget settings --enable LocalManifestFiles"'
    Usecase: Download and execute an arbitrary file from the internet
    Category: Execute
    Privileges: Local Aministrator - required to enabled local manifest setting
    MitreID: T1105
    OperatingSystem: Windows 10, Windows 11
Full_Path:
  - Path: C:\Users\user\AppData\Local\Microsoft\WindowsApps\winget.exe
Code_Sample:
  - Code: https://gist.github.com/saulpanders/00e1177602a8c01a3a8bfa932b3886b0
Detection:
  - IOC: winget.exe spawned with local manifest file
  - IOC: Sysmon Event ID 1 - Process Creation
  - Analysis: https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html
  - Sigma: https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml
Resources:
  - Link: https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html
  - Link: https://docs.microsoft.com/en-us/windows/package-manager/winget/#production-recommended
Acknowledgement:
  - Person: Paul
    Handle: '@saulpanders'