mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 17:58:52 +00:00
26 lines
1.1 KiB
YAML
26 lines
1.1 KiB
YAML
title: Monitoring Winget For LOLbin Execution
|
|
id: 313d6012-51a0-4d93-8dfc-de8553239e25
|
|
description: Adversaries can abuse winget to download payloads remotely and execute them without touching disk. Winget will be included by default in Windows 10 and is already available in Windows 10 insider programs. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe's, msi, msix files later.
|
|
status: experimental
|
|
references:
|
|
- https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install
|
|
author: Sreeman
|
|
date: 2020/21/04
|
|
modified: 2021/06/11
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.execution
|
|
- attack.t1059
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
CommandLine|contains:
|
|
- '.*(?i)winget install (--m|-m).*'
|
|
condition: selection
|
|
falsepositives:
|
|
- Admin activity installing packages not in the official Microsoft repo. Winget probably wont be used by most users.
|
|
fields:
|
|
- CommandLine
|
|
level: medium |