Detectionmediumtest
Install New Package Via Winget Local Manifest
Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe, msi or msix files later.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Sreeman, Florian Roth (Nextron Systems), François HubautCreated Tue Apr 21Updated Mon Apr 17313d6012-51a0-4d93-8dfc-de8553239e25windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic3 selectors
detection:
selection_img:
- Image|endswith: '\winget.exe'
- OriginalFileName: 'winget.exe'
selection_install_flag:
CommandLine|contains:
- 'install'
- ' add ' # https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCLICore/Commands/InstallCommand.h
selection_manifest_flag:
CommandLine|contains:
- '-m '
- '--manifest'
condition: all of selection_*False Positives
Some false positives are expected in some environment that may use this functionality to install and test their custom applications
MITRE ATT&CK
Rule Metadata
Rule ID
313d6012-51a0-4d93-8dfc-de8553239e25
Status
test
Level
medium
Type
Detection
Created
Tue Apr 21
Modified
Mon Apr 17
Path
rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml
Raw Tags
attack.defense-evasionattack.executionattack.t1059