title: Monitoring Winget For LOLbin Execution
id: 313d6012-51a0-4d93-8dfc-de8553239e25
description: Adversaries can abuse winget to download payloads remotely and execute them without touching disk. Winget will be included by default in Windows 10 and is already available in Windows 10 insider programs. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe's, msi, msix files later.
status: experimental
references: 
    - https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install
author: Sreeman
date: 2020/21/04
modified: 2021/06/11
tags:
    - attack.defense_evasion
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - '.*(?i)winget install (--m|-m).*'
    condition: selection
falsepositives:
    - Admin activity installing packages not in the official Microsoft repo. Winget probably wont be used by most users.
fields:
    - CommandLine
level: medium