winget: Install ROGUE Software & Packages?
Key Takeaways
The video demonstrates the use of winget, a Windows package manager tool, to install genuine software and rogue applications, highlighting its potential for penetration testing and red teaming, as well as its limitations and potential risks, including the installation of malicious software from remote locations, and discusses the use of logging and manifest files to track and configure installations, with a focus on cybersecurity and defensive AI techniques, and mentions PlexTrac as a cybersecur
Full Transcript
when a hacker compromises a computer what they do next really tends to vary but it's likely that they're going to end up using some living off the land techniques or using tools utilities and programs and applications that are already on the Target on the victim operating system and computer to do what they might then further do for the Windows operating system a lot of these living off the land binary scripts libraries other techniques tricks and tips you could end up using are publicly available they're online and documented in this low bass GitHub repository and a web page to be able to look through them and of course if you're looking for Linux tips and tricks and techniques you can use the GTFO bins or LOL drivers if you're looking at drivers and how they might be used for this purpose there are a ton of these if you haven't seen them before but what I want to focus on in this video is winget and win gets a little bit new hey brought to life in recent modern Windows operating systems I see it in Windows 10 also see it on Windows 11 and it is inherent native installed by default in the those modern operating systems it is the windows package manager tool a lot like chocolaty but now actually official and formal and built into the operating system it parallels a lot like yum or apt or aptitude or any of the repository package managers that you might see on the Linux world and you use it to install genuine software like real official programs and applications that you want to use but in this case hey it can be used to just install and execute code from any other remote location if you tweak it and play with it a little bit you could actually download a file from any other web address that you might specify in a custom yaml manifest configuration file it'll execute it it'll just run it and for this reason it's one of those interesting things that could be used for offensive tooling or hacking red teaming penetration testing yada yada so there already is a lot of really cool research and Intel and articles and blogs and write-ups all about this sort of thing hey credit where credit is due this article is from Saul panders this is way back at the very start of 2022 so a little bit dated right but taking a look at Windgate as a low bin or low bass technique but they note look it might just be kind of mostly useless it has a couple little idiosyncrasies and things that make a little bit of hesitation and genuinely using this but you might have some creativity to still use it for your own purposes if you are a I don't know penetration tester red teamer Etc the gimmick here is that look winget supports all these other installation types exe MSI msix Apex blah blah blah but the thing is it looks legitimate like it is a real genuine Windows utility and if you're on a developer system maybe you landed in some programmer employee or an engineer's box you could still end up using this and blend in so hey that's enough talk let's go ahead and play with it I'll fire it up with the windows terminal uh just hit the Run dialog box with the windows Super Key and R and then WT is the command to run it now I can just run winget and if I actually just display all the help information you can see what it might be able to do install things show information about packages Source maybe you're managing sources or the repositories that you pull things down from search for list upgrade install blah blah blah and other options to just kind of check out the version of the application or get some more information about the tool you can use tact info now that is actually pretty worthwhile because if you end up using uh wget tactac info you can see the logs location as to where it stores all of the information that it might be tracking as it does what it does it's logs right you could actually go see there is an environment variable here for local app data packages Microsoft desktop apps etc etc it's a long path but if we copy that we could fire up Explorer and why don't I navigate to that location I'll just paste it in and you can see hey there are a couple invocations for me running winget just now let's go see I don't know fire up one of these hey it just sees winget being ran without any other arguments or applications to it right there's no other flags or parameters that we passed in that was just trying to get the usage of the application and then of course as we just ran tact info oh that's displayed there this could be useful and worthwhile because it is logging as to what applications it might have pulled down for whatever forensics blue team DFI are stuff that you could be threat hunting for uh note though that you could end up actually setting on verbose logging that enables verbose logging for wingets I'm curious if that's going to be a set and forget if you run that uh or we need to make a change in the settings.json file because there is a uterus a user settings location that we could modify and add to if you want to check out the Microsoft documentation for that let me try to run winget with tactac verbose logging oh it's tact verbose logs forgive me yeah that needs something done so that needs a command that is not set for everything that you end up doing we can try to manipulate these settings here though I don't know if that will display it okay cool looks like notepad or any other text editor will try to open up we can always have that opened here and that is the settings.json file that I assume is in the location directory that it put in at least that path that we saw in the attack attack info command it does give us a link here for some more documentation and info so we can go take a look at that looks like this is in a GitHub repository and it notes a couple of things here you could change the source settings you could change visual progress bars that's kind of neat uh I'm interested more in logging there are a couple others that you might be able to dig into here but oh here's a worthwhile one logging level could showcase just about everything if you wanted to and verbose is what we'll end up using however if you use the tact for both logs commandlet argument it does what it does so let me copy and paste that in here I'll try and save this and uh we'll see if this comes through if I close out of this now what else can we do okay so if we wanted to try and install things just kind of quick and easy from a local like user controlled location like that we can manipulate you probably will have to create your own manifest.yml file now you'll need to do that and actually have Windows and winget trust those locally defined manifest files you will need to change the settings so that this is actually actually allowed to happen this is again modifying those settings so I'm curious if we run this command when we enable this what will that settings dot Json file look like we can go ahead and try that out let me get back to my terminal paste this in and run it and oh that does of course require admin privileges to execute so let me close out of the shell I'll open up another one with Ctrl shift enter UAC prompt to let me through and now we can see if I paste that in do we have any success uh interesting it probably had a mistake or error while I was trying to work with the settings.json file so maybe it didn't like the list option that I gave it there let me see if win gets settings will bring that up properly yeah things are broken here doesn't like logging makes sense let's just set this to only be verbose so we don't have a full uh list there and I don't think that needs a comma so now because that didn't actually take effect of the other one seemingly it just gave that success message even though there was an error uh so how about that that seems to to work now what does our settings look like doesn't actually showcase it in settings.json that's kind of interesting we can uh touch on that again in just a moment but anyway we are set up now to be able to work with local manifest files and we can configure something that we could install or execute and run right actually use the functionality of this low bin even though we've had to run into a couple speed bumps because you will require admin privileges to actually turn on that functionality of local manifest files if you put together your own manifest file here's some example syntax here's what all the uh necessary keys and values not strictly values you can obviously change that while you're writing this and we can build out our own test proof of concept hey before we start the fireworks and light this thing off please let me give a quick shout out and some love to today's sponsor Plex track when you're performing a penetration test you're in the zone you're hacking away and you're having fun Gathering findings beating up vulnerabilities and earning domain admin but you might be dreading the work that come comes after you have to write a report but writing a pen test report doesn't have to be dull and boring and long and tedious in fact it can be a breeze you don't even have to worry about your report because Plex track can handle it for you if you aren't familiar Plex track is the Premier cyber security reporting and collaboration platform that makes penetration testers red teamers and cyber security teams more efficient effective and proactive Plex track removes the pain of reporting and lets you collaborate between both red and blue teams for Effective purple teaming and faster remediation the Plex track platform lets you easily aggregate findings pull in reusable content from write-up databases and content libraries and track and measure engagement progress in real time import assets from CSV files or nmap or nessus and so many others of your favorite tools with over 25 Integrations you can streamline your reporting and collaboration process right into your existing workflow you can even faster testing with plextrax run books and show the impact to managers in leadership with Plex tracks analytics and visualizations within minutes you can have your pen test report done and dusted all with your team's logo and details and then sent off to the client spend more time hacking and less time reporting learn how you can boost your team's efficiency by 30 percent and cut reporting Time by up to 65 percent with Plex track seriously check out Plex track I have great colleagues and peers that use Plex track every day for reporting get started with my link below in the video description and let you and your team get back to hacking huge thanks to Plex track for sponsoring this video now it's worth noting here if you're trying to be that threat actor you put your hacker hat on and your play pretend bad person then you probably want to still try to blend in that's the whole point of you using this living off the land technique so what I've done is created a sort of a typo squatting domain hey lookalike domain where I created like a live.sys internals.com like you might actually pull down the system Turtles utilities but I've just simply merely replaced hey the lowercase i at the very first I in the word CIS internals to a l because that way if you actually had this in capital letters right even from the command line like if you were trying to do Powershell invoke web request download whatever uh Powershell doesn't care about your casing and nor does your web browser if you actually have this in the web browser link like I can just go to live.sys internals capital L for live capital S for CIS internals and the L the lowercase L for my I will still look sort of kind of like an eye so maybe a a short small stupid trick to fool and potentially slip past fly under the radar for anything that we want to actually use here I just staged this live systemternals.com as a fake phishing domain thing I think that can make for some fun social engineering now every single link here all of the executables whether or not to dll even the text file chmsis whatever they all are calculator they're all the calculator application just for the simple proof of concept and so I have my custom manifest.yml file with the values configured for just a simple test installer to play with winget here and executable that we want to download and install x64 architecture from my live system turtles.com procmon executable you will need the shot 256 hash you would need a little bit of a checksum for the application that you're trying to download and install or execute really and that's A-Okay we can just slap that in because we know what we want to be pulling down and then let me see I'm going to have uh the logs cleared out here because I want to be able to track and see hey what log output is there once I execute this thing we'll have process Explorer open up on the left hand side to see things work and now can I try to use wingets to install tact manifest dot slash manifest.yml let's see found the test pulling it down executes it procmon.exe popped open and there's our stupid dumb calculator application now okay look that's our low bin in a small simple proof of concept innocent way but what do we have for logs and what did we actually see Pop open in process Explorer uh we could take a look back at some of the other research and articles that we've seen out on the internet but we can also just look back in at our logs to see what's going on where how and when there's our invocation could clue us into the actual path of the Manifest file and then we can also see everything that it's using for some of the temporary installations maybe we could retrieve those files if you were to still see them after the fact and you could see of course the URL that I actually try to pull from my live system internals.com procmon.exe interesting chatter about the message of the wild or Mark of the web sorry I don't know why I got the Legend of Zelda uh breath of the wild in there and some things to note that it does actually keep track of these an installed database we can see that chat about in some of the other articles that we'll read up on but I do want to at least kind of give that info to you all the SQL statements and a ton of them because we've just turned on verbose logging is included in here like this log file is now massive for everything that it's done but you've at least now got the insight as to what file tried to be received where it got put and actually like named after the test and seller package that you want to grab all that is present and accessible for you in these log files this is you should be the source of truth if you're trying to hunt this down last couple things that I do want to mention hey these other articles they do in fact note again hey the executable that is ran here that it is going to be named after the package that you define within your manifest file and they discussed look why is this mostly useless and it's really just kind of a cutesy novelty again you need admin rights to be able to play with this but in some cases you probably already have that and you just want to blend in and lurk here maybe the local manifest file is also a speed bump smart screen could get in the way it could be really anything but I just thought it would be worthwhile to put on your radar if you're playing from The Blue Team purple team defensive uh perspective here at dfir digital forensics and instant response you can still be tracking this down again with the log files that we got to play with and all Kudos and credit to nasbench who got to do some recent research on this and he was sharing it out on the twitterverse I was tracking I thought that would be really good and worthwhile to bring to your attention there are some other Rumblings in though like look if you try to modify or temper with the actual sources like where it might naturally install from rather than a local manifest file you could do that but uh that probably also needs admin rights package installers also have their own individual logs in the exact same folder and directory that we were just in so you could see everything that was done there and if you want to do any changes with GPO to actually Force these local manifest file settings you can do that just as well nasbench mentions and discusses the install.db sqlite database that we saw included in reference within our logs he didn't get a whole lot of time to dig into it so if anything maybe I leave that as a call to action for you if there's anything you might be interested in this sort of approach and playing with winget there are of course plenty of example yaml files if you wanted to Tinker and maybe you'll find some other cool sweet stuff just as well so there you have it yet another other living off the land technique may be worthwhile maybe cutesy maybe novel I don't know your mileage may vary but I thought hey it's kind of a neat and interesting one wanted to put it on your radar and wind gets like it looks pretty cool it looks pretty legitimate it looks pretty uh I don't know real for a developer workstation for an engineer employee it could be anything uh it might still be something that could blend in for natural operations on a Windows operating systems and if you're using a type of squad domain like CIS internals maybe there's some damage to be done hey thanks so much for watching hope you enjoyed this video and hey check out our sponsor Plex track always doing awesome stuff in the penetration testing purple teaming scene and you know the drill like comment subscribe I'll see in the next video
Original Description
https://jh.live/plextrac || Save time and effort on pentest reports with PlexTrac's premiere reporting & collaborative platform: https://jh.live/plextrac 😎
🔥 YOUTUBE ALGORITHM ➡ Like, Comment, & Subscribe!
🙏 SUPPORT THE CHANNEL ➡ https://jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ https://jh.live/sponsor
🌎 FOLLOW ME EVERYWHERE ➡ https://jh.live/discord ↔ https://jh.live/twitter ↔ https://jh.live/linkedin ↔ https://jh.live/instagram ↔ https://jh.live/tiktok
💥 SEND ME MALWARE ➡ https://jh.live/malware
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from John Hammond · John Hammond · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
Tutorials? MySQL connection with PHP and Bash!
John Hammond
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
JavaScript Splits The URL!
John Hammond
HTML Tables in Python!
John Hammond
HTML, Net Shares, GML!
John Hammond
Python 08 Programming Style and Comments
John Hammond
Python 26 Object Oriented Programming
John Hammond
75 Python Tutorials, Out Now!
John Hammond
Batch 14 Mathematical Expressions
John Hammond
Batch 85 Array Append
John Hammond
Batch 86 Array Count
John Hammond
Batch 87 Array Index
John Hammond
Batch 88 Array Insert
John Hammond
Batch 89 Array Remove
John Hammond
Batch 90 Array Reverse
John Hammond
Python [colorama] 00 Installing on Linux
John Hammond
Python [colorama] 09 Cursor Position
John Hammond
Python [hashlib] 02 Algorithms
John Hammond
Python 00 Installing IDLE on Linux
John Hammond
Python [pygame] 11 Rectangular Collision Detection
John Hammond
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
Python [XML-RPC] 01 Research
John Hammond
Python [pyenchant] 03 Personal Word Lists
John Hammond
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
Python 04: PEP8 Coding
John Hammond
Python Challenge! 17 COOKIES
John Hammond
Google CTF 2016: Ernst Echidna
John Hammond
Google CTF 2016: Spotted Quoll
John Hammond
Google CTF 2016: Can you Repo It?
John Hammond
Google CTF 2016: No Big Deal
John Hammond
Google CTF 2016: In Recorded Conversation
John Hammond
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
Homemade CTF Challenge: 04 "UPX"
John Hammond
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
Juniors CTF 2016 :: Six Strange Tales
John Hammond
Juniors CTF 2016 :: Lost Code
John Hammond
Juniors CTF 2016 :: Here Goes!
John Hammond
Juniors CTF 2016 :: Southern Cross
John Hammond
Juniors CTF 2016 :: Clone Attack
John Hammond
Juniors CTF 2016 :: Dirty Repo
John Hammond
Juniors CTF 2016 :: Hackers Blog
John Hammond
Juniors CTF 2016 :: Voting!!!
John Hammond
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
Juniors CTF 2016 :: Stop Thief!
John Hammond
Juniors CTF 2016 :: ROFL
John Hammond
Juniors CTF 2016 :: Restriced Area
John Hammond
Juniors CTF 2016 :: Oh SSH!
John Hammond
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
HackCon CTF 2017 "Bacche" Challenges
John Hammond
More on: AI Security
View skill →Related Reads
🎓
Tutor Explanation
DeepCamp AI