Unofficial Win Get Source Added

# *Unofficial WinGet Source Added* ## Query Information #### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1105 | Ingress Tool Transfer | https://attack.mitre.org/techniques/T1105/ | | T1059 | Command and Scripting Interpreter | https://attack.mitre.org/techniques/T1059/ | #### Description This rule detects when a new WinGet package source is added from an unofficial URL, either via the `winget.exe` command-line interface or through PowerShell using WinGet DSC (Desired State Configuration) cmdlets. Adversaries may add custom package sources to distribute malicious software or maintain persistence #### Author <Optional> - **Name: Benjamin Zulliger** - **Github: https://github.com/benscha/KQLAdvancedHunting** - **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/** ## Defender XDR ```KQL let OfficialSources = dynamic([ "winget.azureedge.net", "cdn.winget.microsoft.com" ]); let AppInstallerPolicyKey = "SOFTWARE\\Policies\\Microsoft\\Windows\\AppInstaller"; // CLI source add let CliSourceAdd = DeviceProcessEvents | where FileName =~ "winget.exe" | where ProcessCommandLine has_all ("source", "add") | extend SourceName = extract(@"(?i)--name\s+(\S+)", 1, ProcessCommandLine) | extend SourceUrl = extract(@"(?i)--arg\s+(\S+)", 1, ProcessCommandLine) | where not(SourceUrl has_any (OfficialSources)) | extend SignalType = "CLI_SourceAdd" | extend RegistryKey = "", RegistryValueName = "", RegistryValueData = ""; // DSC / PowerShell COM let DscSourceAdd = DeviceProcessEvents | where FileName in~ ("powershell.exe", "pwsh.exe") | where ProcessCommandLine has_any ("Microsoft.WinGet.DSC", "WinGetPackageSource", "Add-WinGetSource") | where ProcessCommandLine has_any ("Add-WinGetSource", "Ensure", "Add") | where not(ProcessCommandLine has_any (OfficialSources)) | extend SourceName = extract(@"(?i)Name\s*=\s*['""]?(\S+?)['""]?[\s,\)]", 1, ProcessCommandLine) | extend SourceUrl = extract(@"(?i)Argument\s*=\s*['""]?(\S+?)['""]?[\s,\)]", 1, ProcessCommandLine) | extend SignalType = "DSC_SourceAdd" | extend RegistryKey = "", RegistryValueName = "", RegistryValueData = ""; // Registry AdditionalSources changes let RegAdditionalSources = DeviceRegistryEvents | where RegistryKey has AppInstallerPolicyKey | where RegistryKey has "AdditionalSources" | where ActionType in ("RegistryKeyCreated", "RegistryValueSet") | extend SourceName = extract(@"AdditionalSources\\(\d+)", 1, RegistryKey) | extend SourceUrl = tostring(RegistryValueData) | extend SignalType = "Reg_AdditionalSources" | extend ProcessCommandLine = InitiatingProcessCommandLine; // Policy enable additional sources let RegEnableAdditional = DeviceRegistryEvents | where RegistryKey has AppInstallerPolicyKey | where RegistryValueName =~ "EnableAdditionalSources" | where ActionType == "RegistryValueSet" | where tolong(RegistryValueData) == 1 | extend SourceName = "", SourceUrl = "" | extend SignalType = "Reg_PolicyManipulation_EnableAdditionalSources" | extend ProcessCommandLine = InitiatingProcessCommandLine; // Policy disable hash validation let RegHashOverride = DeviceRegistryEvents | where RegistryKey has AppInstallerPolicyKey | where RegistryValueName =~ "EnableHashOverride" | where ActionType == "RegistryValueSet" | where tolong(RegistryValueData) == 1 | extend SourceName = "", SourceUrl = "" | extend SignalType = "Reg_PolicyManipulation_EnableHashOverride" | extend ProcessCommandLine = InitiatingProcessCommandLine; union CliSourceAdd, DscSourceAdd, RegAdditionalSources, RegEnableAdditional, RegHashOverride | project Timestamp, DeviceName, AccountName, SignalType, SourceName, SourceUrl, RegistryKey, RegistryValueName, RegistryValueData, ProcessCommandLine, ReportId, DeviceId | sort by Timestamp desc ```

Explanation

This KQL (Kusto Query Language) query is designed to detect when an unofficial WinGet package source is added to a system. WinGet is a Windows package manager, and adding unofficial sources can be a method for adversaries to distribute malicious software or maintain persistence on a device. Here's a simplified breakdown of what the query does:

Define Official Sources: It starts by listing the official WinGet sources, which are trusted URLs.
Detect CLI Source Additions: It checks for instances where the winget.exe command-line tool is used to add a new package source. If the source URL is not one of the official sources, it flags this as a potential issue.
Detect PowerShell DSC Source Additions: It looks for PowerShell commands that add WinGet sources using DSC (Desired State Configuration). Again, if the source URL is not official, it flags it.
Monitor Registry Changes: It monitors the Windows registry for changes related to WinGet sources, specifically looking for:
- New or modified additional sources.
- Enabling of additional sources.
- Disabling of hash validation, which could allow unverified packages to be installed.
Combine Results: The query combines results from all these checks and sorts them by the time they occurred, providing details like the device name, account name, type of signal (e.g., CLI source add, registry change), source name, source URL, and any relevant registry or command-line details.

Overall, this query helps identify potentially unauthorized or malicious modifications to the WinGet package sources on a device, which could indicate a security threat.

Details

Benjamin Zulliger

Released: June 22, 2026

Tables

DeviceProcessEventsDeviceRegistryEvents

Keywords

DeviceProcessEventsDeviceRegistryEventsProcessCommandLineRegistryKeyRegistryValueNameRegistryValueDataDeviceNameAccountNameReportIdDeviceIdTimestampSourceNameSourceUrlSignalType

Operators

letdynamic=~has_allextracthas_anyin~nottostringtolongunionprojectsort by

KQL Search