detection.wiki

Detection rules › Sigma

Potential Suspicious Winget Package Installation

Severity
high
Author
Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects potential suspicious winget package installation from a suspicious source.

Event coverage

ProviderEvent IDTitle
Sysmon15FileCreateStreamHash

Stages and Predicates

Stage 1: selection

or:
Contents|contains: '://1'
Contents|contains: '://2'
Contents|contains: '://3'
Contents|contains: '://4'
Contents|contains: '://5'
Contents|contains: '://6'
Contents|contains: '://7'
Contents|contains: '://8'
Contents|contains: '://9'
Contents|startswith: '[ZoneTransfer]  ZoneId=3'
TargetFilename|endswith: ':Zone.Identifier'
TargetFilename|contains: '\AppData\Local\Temp\WinGet\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Contentsmatch
  • ://1
  • ://2
  • ://3
  • ://4
  • ://5
  • ://6
  • ://7
  • ://8
  • ://9
Contentsstarts_with
  • [ZoneTransfer] ZoneId=3 corpus 2 (sigma 2)
TargetFilenameends_with
  • :Zone.Identifier corpus 3 (sigma 3)
TargetFilenamematch
  • \AppData\Local\Temp\WinGet\