Detectionhightest
Potential Suspicious Winget Package Installation
Detects potential suspicious winget package installation from a suspicious source.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Tue Apr 18a3f5c081-e75b-43a0-9f5b-51f26fe5dba2windows
Log Source
WindowsAlternate Data Stream
ProductWindows← raw: windows
CategoryAlternate Data Stream← raw: create_stream_hash
Detection Logic
Detection Logic1 selector
detection:
selection:
Contents|startswith: '[ZoneTransfer] ZoneId=3'
Contents|contains:
# Note: Add any untrusted sources that are custom to your env
- '://1'
- '://2'
- '://3'
- '://4'
- '://5'
- '://6'
- '://7'
- '://8'
- '://9'
TargetFilename|endswith: ':Zone.Identifier'
TargetFilename|contains: '\AppData\Local\Temp\WinGet\'
condition: selectionFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
MITRE ATT&CK
Rule Metadata
Rule ID
a3f5c081-e75b-43a0-9f5b-51f26fe5dba2
Status
test
Level
high
Type
Detection
Created
Tue Apr 18
Path
rules/windows/create_stream_hash/create_stream_hash_winget_susp_package_source.yml
Raw Tags
attack.defense-evasionattack.persistence