false positives might occur if the users are unaware of such control checks

t1059
windows
sigma

Techniques

t1059

Sample rules

Add Insecure Download Source To Winget

source: sigma
technicques:
- t1059

Description

Detects usage of winget to add a new insecure (http) download source. Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains|all:
  - 'source '
  - 'add '
  - http://
selection_img:
- Image|endswith: \winget.exe
- OriginalFileName: winget.exe