LoFP LoFP / false positive are expected with legitimate sources

Techniques

Sample rules

Add New Download Source To Winget

Description

Detects usage of winget to add new additional download sources

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains|all:
  - 'source '
  - 'add '
selection_img:
- Image|endswith: \winget.exe
- OriginalFileName: winget.exe