feat: update winget related rules

rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml

@@ -1,31 +0,0 @@
-title: Monitoring Winget For LOLbin Execution
-id: 313d6012-51a0-4d93-8dfc-de8553239e25
-status: experimental
-description: Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them without touching disk. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe's, msi, msix files later.
-references:
-    - https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install
-    - https://lolbas-project.github.io/lolbas/Binaries/Winget/
-author: Sreeman, Florian Roth (Nextron Systems), Frack113
-date: 2020/04/21
-modified: 2023/01/03
-tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1059
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection_img:
-        - Image|endswith: '\winget.exe'
-        - OriginalFileName: 'winget.exe'
-    selection_install_flag:
-        CommandLine|contains: 'install'
-    selection_manifest_flag:
-        CommandLine|contains:
-            - '-m '
-            - '--manifest'
-    condition: all of selection_*
-falsepositives:
-    - Admin activity installing packages not in the official Microsoft repo. Winget probably won't be used by most users.
-level: medium

rules/windows/process_creation/proc_creation_win_winget_add_custom_source.yml

@@ -0,0 +1,33 @@
+title: Add New Download Source To Winget
+id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842
+related:
+    - id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2
+      type: similar
+    - id: c15a46a0-07d4-4c87-b4b6-89207835a83b
+      type: similar
+status: experimental
+description: Detects usage of winget to add new additional download sources
+references:
+    - https://learn.microsoft.com/en-us/windows/package-manager/winget/source
+    - https://github.com/nasbench/Misc-Research/tree/54b22564d1b945ac08ee3c93580500a275a8a21f/LOLBINs/Winget
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/04/17
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1059
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\winget.exe'
+        - OriginalFileName: 'winget.exe'
+    selection_cli:
+        CommandLine|contains|all:
+            - 'source '
+            - 'add '
+    condition: all of selection_*
+falsepositives:
+    - False positive are expected with legitimate sources
+level: medium

rules/windows/process_creation/proc_creation_win_winget_add_insecure_custom_source.yml

@@ -0,0 +1,36 @@
+title: Add Insecure Download Source To Winget
+id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2
+related:
+    - id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842
+      type: similar
+    - id: c15a46a0-07d4-4c87-b4b6-89207835a83b
+      type: similar
+status: experimental
+description: |
+    Detects usage of winget to add a new insecure (http) download sources.
+    Winget will not allow the addition of insecure sources, hence why this could indicate potential suspicious activity (or typo)
+references:
+    - https://learn.microsoft.com/en-us/windows/package-manager/winget/source
+    - https://github.com/nasbench/Misc-Research/tree/54b22564d1b945ac08ee3c93580500a275a8a21f/LOLBINs/Winget
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/04/17
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1059
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\winget.exe'
+        - OriginalFileName: 'winget.exe'
+    selection_cli:
+        CommandLine|contains|all:
+            - 'source '
+            - 'add '
+            - 'http://'
+    condition: all of selection_*
+falsepositives:
+    - False positives might occur if the users are unaware of such control checks
+level: high

rules/windows/process_creation/proc_creation_win_winget_add_susp_custom_source.yml

@@ -0,0 +1,36 @@
+title: Add Potential Suspicious New Download Source To Winget
+id: c15a46a0-07d4-4c87-b4b6-89207835a83b
+related:
+    - id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842
+      type: similar
+    - id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2
+      type: similar
+status: experimental
+description: Detects usage of winget to add new potentially suspicious download sources
+references:
+    - https://learn.microsoft.com/en-us/windows/package-manager/winget/source
+    - https://github.com/nasbench/Misc-Research/tree/54b22564d1b945ac08ee3c93580500a275a8a21f/LOLBINs/Winget
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/04/17
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1059
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\winget.exe'
+        - OriginalFileName: 'winget.exe'
+    selection_cli:
+        CommandLine|contains|all:
+            - 'source '
+            - 'add '
+    selection_source_direct_ip:
+        # This is a best effort. A better way to handle this is to limit it via whitelist. Check Group Policy for more details
+        CommandLine|re: '://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml

@@ -0,0 +1,37 @@
+title: Install New Package Via Winget Local Manifest
+id: 313d6012-51a0-4d93-8dfc-de8553239e25
+status: experimental
+description: |
+    Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them.
+    The manifest option enables you to install an application by passing in a YAML file directly to the client.
+    Winget can be used to download and install exe's, msi, msix files later.
+references:
+    - https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install
+    - https://lolbas-project.github.io/lolbas/Binaries/Winget/
+    - https://github.com/nasbench/Misc-Research/tree/54b22564d1b945ac08ee3c93580500a275a8a21f/LOLBINs/Winget
+author: Sreeman, Florian Roth (Nextron Systems), frack113
+date: 2020/04/21
+modified: 2023/04/17
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1059
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\winget.exe'
+        - OriginalFileName: 'winget.exe'
+    selection_install_flag:
+        CommandLine|contains:
+            - 'install'
+            - ' add ' # https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCLICore/Commands/InstallCommand.h
+    selection_manifest_flag:
+        CommandLine|contains:
+            - '-m '
+            - '--manifest'
+    condition: all of selection_*
+falsepositives:
+    - Some false positives are expected in some environment that may use this functionality to install and test their custom applications
+level: medium

rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml

@@ -0,0 +1,25 @@
+title: Winget Admin Settings Modification
+id: fa277e82-9b78-42dd-b05c-05555c7b6015
+status: experimental
+description: Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks
+references:
+    - https://github.com/nasbench/Misc-Research/tree/54b22564d1b945ac08ee3c93580500a275a8a21f/LOLBINs/Winget
+    - https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/04/17
+tags:
+    - attack.defense_evasion
+    - attack.persistence
+logsource:
+    product: windows
+    category: registry_set
+detection:
+    selection:
+        EventType: SetValue
+        Image|endswith: '\winget.exe'
+        TargetObject|startswith: '\REGISTRY\A\'
+        TargetObject|endswith: '\LocalState\admin_settings'
+    condition: selection
+falsepositives:
+    - The event doesn't contain information about the type of change. False positives are expected with legitimate changes
+level: low

rules/windows/registry/registry_set/registry_set_winget_enable_local_manifest.yml

@@ -0,0 +1,23 @@
+title: Enable Local Manifest Installation With Winget
+id: fa277e82-9b78-42dd-b05c-05555c7b6015
+status: experimental
+description: Detects changes to the AppInstaller (winget) policy specifically the activation of the local manifest installation. Which allows a user to install new packages via custom manifests.
+references:
+    - https://github.com/nasbench/Misc-Research/tree/54b22564d1b945ac08ee3c93580500a275a8a21f/LOLBINs/Winget
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/04/17
+tags:
+    - attack.defense_evasion
+    - attack.persistence
+logsource:
+    product: windows
+    category: registry_set
+detection:
+    selection:
+        EventType: SetValue
+        TargetObject|endswith: '\AppInstaller\EnableLocalManifestFiles'
+        Details: 'DWORD (0x00000001)'
+    condition: selection
+falsepositives:
+    - Administrators or developers might enable this for testing purposes or to install custom private packages
+level: medium