winget.exe
Windows Package Manager tool
Paths
C:\Users\user\AppData\Local\Microsoft\WindowsApps\winget.exe
Commands
Execute
Downloads a file from the web address specified in .yml file and executes it on the system. Local manifest setting must be enabled in winget for it to work: `winget settings --enable LocalManifestFiles`
Use case: Download and execute an arbitrary file from the internet
Privileges: Local Administrator - required to enable local manifest setting
winget.exe install --manifest {PATH:.yml}Download
Download and install any software from the Microsoft Store using its name or Store ID, even if the Microsoft Store App itself is blocked on the machine. For example, use "Sysinternals Suite" or `9p7knl5rwt25` for obtaining ProcDump, PsExec via the Sysinternals Suite. Note: a Microsoft account is required for this.
Use case: Download and install software from Microsoft Store, even if Microsoft Store App is blocked
Privileges: User
winget.exe install --accept-package-agreements -s msstore {name or ID}AWL Bypass
Download and install any software from the Microsoft Store using its name or Store ID, even if the Microsoft Store App itself is blocked on the machine, and even if AppLocker is active on the machine. For example, use "Sysinternals Suite" or `9p7knl5rwt25` for obtaining ProcDump, PsExec via the Sysinternals Suite. Note: a Microsoft account is required for this.
Use case: Download and install software from Microsoft Store, even if Microsoft Store App is blocked, and AppLocker is activated on the machine
Privileges: User
winget.exe install --accept-package-agreements -s msstore {name or ID}Detection
- IOC: winget.exe spawned with local manifest file
- IOC: Sysmon Event ID 1 - Process Creation
- Analysis: https://saulpanders.github.io/2022/01/02/New-Year-New-LOLBAS.html
- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml