From f4a9d4a899132a053845246fd0dce7dd4cce01bf Mon Sep 17 00:00:00 2001 From: unrooted Date: Sat, 13 Jul 2024 00:38:51 +0200 Subject: [PATCH 1/6] Update Winget.yml --- yml/OSBinaries/Winget.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/yml/OSBinaries/Winget.yml b/yml/OSBinaries/Winget.yml index d2629dee0..e7e1b2299 100644 --- a/yml/OSBinaries/Winget.yml +++ b/yml/OSBinaries/Winget.yml @@ -11,6 +11,13 @@ Commands: Privileges: Local Administrator - required to enable local manifest setting MitreID: T1105 OperatingSystem: Windows 10, Windows 11 + - Command: winget.exe install [ms store ID] + Description: 'Allows to download any MS Store program, using it's Store ID, even if MS Store itself is blocked on the machine. Has some potential if someone pushes malicious programs into the MS Store.' + Usecase: Download and install software from MS Store even if MS Store is blocked + Category: Execute + Privileges: User + MitreID: T1072 + OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Users\user\AppData\Local\Microsoft\WindowsApps\winget.exe Code_Sample: @@ -26,3 +33,4 @@ Resources: Acknowledgement: - Person: Paul Handle: '@saulpanders' + - Person: Konrad 'unrooted' Klawikowski From a0bbc353e81fd7b0c382d7237170a4e4d293149f Mon Sep 17 00:00:00 2001 From: Wietze Date: Sat, 17 Aug 2024 22:55:32 +0100 Subject: [PATCH 2/6] Update Winget.yml --- yml/OSBinaries/Winget.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/yml/OSBinaries/Winget.yml b/yml/OSBinaries/Winget.yml index e7e1b2299..2b07d54e8 100644 --- a/yml/OSBinaries/Winget.yml +++ b/yml/OSBinaries/Winget.yml @@ -5,18 +5,18 @@ Author: Paul Sanders Created: 2022-01-03 Commands: - Command: winget.exe install --manifest manifest.yml - Description: 'Downloads a file from the web address specified in manifest.yml and executes it on the system. Local manifest setting must be enabled in winget for it to work: "winget settings --enable LocalManifestFiles"' + Description: 'Downloads a file from the web address specified in manifest.yml and executes it on the system. Local manifest setting must be enabled in winget for it to work: `winget settings --enable LocalManifestFiles`' Usecase: Download and execute an arbitrary file from the internet Category: Execute Privileges: Local Administrator - required to enable local manifest setting MitreID: T1105 OperatingSystem: Windows 10, Windows 11 - - Command: winget.exe install [ms store ID] - Description: 'Allows to download any MS Store program, using it's Store ID, even if MS Store itself is blocked on the machine. Has some potential if someone pushes malicious programs into the MS Store.' - Usecase: Download and install software from MS Store even if MS Store is blocked - Category: Execute + - Command: winget.exe install [Microsoft Store ID] + Description: Download and install any software from the Microsoft Store using its Store ID, even if the Microsoft Store App itself is blocked on the machine. For example, use `9p7knl5rwt25` for obtaining ProcDump, PsExec via the Sysinternals Suite. + Usecase: Download and install software from Microsoft Store, even if Microsoft Store App is blocked + Category: Download Privileges: User - MitreID: T1072 + MitreID: T1105 OperatingSystem: Windows 10, Windows 11 Full_Path: - Path: C:\Users\user\AppData\Local\Microsoft\WindowsApps\winget.exe From b81161d4d606e1c450a24ca314ff7194dd9ba251 Mon Sep 17 00:00:00 2001 From: Wietze Date: Sat, 17 Aug 2024 23:44:16 +0100 Subject: [PATCH 3/6] Update Winget.yml --- yml/OSBinaries/Winget.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OSBinaries/Winget.yml b/yml/OSBinaries/Winget.yml index 2b07d54e8..e24c6d2d2 100644 --- a/yml/OSBinaries/Winget.yml +++ b/yml/OSBinaries/Winget.yml @@ -11,8 +11,8 @@ Commands: Privileges: Local Administrator - required to enable local manifest setting MitreID: T1105 OperatingSystem: Windows 10, Windows 11 - - Command: winget.exe install [Microsoft Store ID] - Description: Download and install any software from the Microsoft Store using its Store ID, even if the Microsoft Store App itself is blocked on the machine. For example, use `9p7knl5rwt25` for obtaining ProcDump, PsExec via the Sysinternals Suite. + - Command: winget.exe install --accept-package-agreements -s msstore [name or ID] + Description: Download and install any software from the Microsoft Store using its Store ID, even if the Microsoft Store App itself is blocked on the machine. For example, use "Sysinternals Suite" or `9p7knl5rwt25` for obtaining ProcDump, PsExec via the Sysinternals Suite. Usecase: Download and install software from Microsoft Store, even if Microsoft Store App is blocked Category: Download Privileges: User From 5a5dde3d573e8ecd1aa3d1ce7c8f1b72f775ec54 Mon Sep 17 00:00:00 2001 From: Wietze Date: Sat, 17 Aug 2024 23:48:14 +0100 Subject: [PATCH 4/6] Update Winget.yml --- yml/OSBinaries/Winget.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Winget.yml b/yml/OSBinaries/Winget.yml index e24c6d2d2..8fb7d601c 100644 --- a/yml/OSBinaries/Winget.yml +++ b/yml/OSBinaries/Winget.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1105 OperatingSystem: Windows 10, Windows 11 - Command: winget.exe install --accept-package-agreements -s msstore [name or ID] - Description: Download and install any software from the Microsoft Store using its Store ID, even if the Microsoft Store App itself is blocked on the machine. For example, use "Sysinternals Suite" or `9p7knl5rwt25` for obtaining ProcDump, PsExec via the Sysinternals Suite. + Description: Download and install any software from the Microsoft Store using its Store ID, even if the Microsoft Store App itself is blocked on the machine. For example, use "Sysinternals Suite" or `9p7knl5rwt25` for obtaining ProcDump, PsExec via the Sysinternals Suite. Note: a Microsoft account is required for this. Usecase: Download and install software from Microsoft Store, even if Microsoft Store App is blocked Category: Download Privileges: User From fb082a9cde1a0f0542734749454d8f91879fc9d3 Mon Sep 17 00:00:00 2001 From: Wietze Date: Sat, 17 Aug 2024 23:50:40 +0100 Subject: [PATCH 5/6] Update Winget.yml --- yml/OSBinaries/Winget.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Winget.yml b/yml/OSBinaries/Winget.yml index 8fb7d601c..fa595fb6f 100644 --- a/yml/OSBinaries/Winget.yml +++ b/yml/OSBinaries/Winget.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1105 OperatingSystem: Windows 10, Windows 11 - Command: winget.exe install --accept-package-agreements -s msstore [name or ID] - Description: Download and install any software from the Microsoft Store using its Store ID, even if the Microsoft Store App itself is blocked on the machine. For example, use "Sysinternals Suite" or `9p7knl5rwt25` for obtaining ProcDump, PsExec via the Sysinternals Suite. Note: a Microsoft account is required for this. + Description: 'Download and install any software from the Microsoft Store using its Store ID, even if the Microsoft Store App itself is blocked on the machine. For example, use "Sysinternals Suite" or `9p7knl5rwt25` for obtaining ProcDump, PsExec via the Sysinternals Suite. Note: a Microsoft account is required for this.' Usecase: Download and install software from Microsoft Store, even if Microsoft Store App is blocked Category: Download Privileges: User From f2cdd5794f0f13a15e6221e969a17561a2ec7001 Mon Sep 17 00:00:00 2001 From: Wietze Date: Sat, 17 Aug 2024 23:51:06 +0100 Subject: [PATCH 6/6] Update Winget.yml --- yml/OSBinaries/Winget.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/OSBinaries/Winget.yml b/yml/OSBinaries/Winget.yml index fa595fb6f..f5ad51eba 100644 --- a/yml/OSBinaries/Winget.yml +++ b/yml/OSBinaries/Winget.yml @@ -12,7 +12,7 @@ Commands: MitreID: T1105 OperatingSystem: Windows 10, Windows 11 - Command: winget.exe install --accept-package-agreements -s msstore [name or ID] - Description: 'Download and install any software from the Microsoft Store using its Store ID, even if the Microsoft Store App itself is blocked on the machine. For example, use "Sysinternals Suite" or `9p7knl5rwt25` for obtaining ProcDump, PsExec via the Sysinternals Suite. Note: a Microsoft account is required for this.' + Description: 'Download and install any software from the Microsoft Store using its name or Store ID, even if the Microsoft Store App itself is blocked on the machine. For example, use "Sysinternals Suite" or `9p7knl5rwt25` for obtaining ProcDump, PsExec via the Sysinternals Suite. Note: a Microsoft account is required for this.' Usecase: Download and install software from Microsoft Store, even if Microsoft Store App is blocked Category: Download Privileges: User