sigmahighHunting

Potential Suspicious Winget Package Installation

Detects potential suspicious winget package installation from a suspicious source.

Detection Query

selection:
  Contents|startswith: "[ZoneTransfer]  ZoneId=3"
  Contents|contains:
    - ://1
    - ://2
    - ://3
    - ://4
    - ://5
    - ://6
    - ://7
    - ://8
    - ://9
  TargetFilename|endswith: :Zone.Identifier
  TargetFilename|contains: \AppData\Local\Temp\WinGet\
condition: selection

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2023-04-18

Data Sources

windowscreate_stream_hash

Platforms

windows

References

https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget

Tags

attack.defense-evasionattack.persistence

Raw Content

title: Potential Suspicious Winget Package Installation
id: a3f5c081-e75b-43a0-9f5b-51f26fe5dba2
status: test
description: Detects potential suspicious winget package installation from a suspicious source.
references:
    - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-18
tags:
    - attack.defense-evasion
    - attack.persistence
logsource:
    product: windows
    category: create_stream_hash
detection:
    selection:
        Contents|startswith: '[ZoneTransfer]  ZoneId=3'
        Contents|contains:
            # Note: Add any untrusted sources that are custom to your env
            - '://1'
            - '://2'
            - '://3'
            - '://4'
            - '://5'
            - '://6'
            - '://7'
            - '://8'
            - '://9'
        TargetFilename|endswith: ':Zone.Identifier'
        TargetFilename|contains: '\AppData\Local\Temp\WinGet\'
    condition: selection
falsepositives:
    - Unknown
level: high