winget: Install ROGUE Software & Packages?
Vložit
- čas přidán 6. 09. 2024
- j-h.io/plextrac || Save time and effort on pentest reports with PlexTrac's premiere reporting & collaborative platform in a FREE one-month trial! j-h.io/plextrac 😎
🔥 CZcams ALGORITHM ➡ Like, Comment, & Subscribe!
🙏 SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎 FOLLOW ME EVERYWHERE ➡ jh.live/discord ↔ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
I did not validate this with the winget docs, but if setting the LocalManifestFiles configuration would modify the user settings of winget, why would an attacker not simply edit that file to have the setting on instead of having to impersonate local admin? I think this would explain why changing the setting does not edit the user settings json.
I guess the file is likely also protected against writing with admin privileges.
Little tip, around 6:24 you exit the terminal to open up a new admin one. I don't know about you but that gets a little annoying for me to do so I found this tool called "gsudo". You can call it as gsudo or just sudo. If you just type `gsudo` it will do a UAC prompt and then bring you to a new privliaged powershell environment, but if you do `gsudo [commands ...]` it will just do that command with admin privliages and then bring you back to your normal environment. I find it pretty handy
Love it, I use winget all the time as a System Engineer
Just 31 comments. Damn. Hehe. I saw this on my feed many hours ago, but now I'm here, at 21 hours ago posted status. Hehe
Uhhh, didn’t know about winget at all. Thanks man, very interesting.
Neat. Also,
I am pretty sure that unzipping a folder can trigger network activity...
Not gonna talk about it here, since i would be using it as my own 0-day.
(Or is John interested?)
You should email him directly instead of having it up here.
@@Thiole Yeah no, i am not going to just burn a potential 0-day on my own.
If he is interested he can ask me to mail something, but if he doesn't read it, I'd rather not wake the sleeping John... 🙃
That's not a 0day but expected behavior
Don’t think you understand what a zero day is since this is a common action that occurs
You keep calling it zero-day, but thats not a zero day
Unzipping a folder via remote network connections such as ssh will trigger as a network activity...BECAUSE IT IS A NETWORK ACTIVITY
it's down to your IDS to note down the whitelisted addresses or the blacklisted addresses
Thats by nature
Interesting....
I always wonder. Malwarebytes uses LOL strings. Whut
TIL that winget is a thing. Will have to use it when I next need to install software on Windows. Might stop me from going crazy.
Seriously. I seem to have to install teams every time I use a new computer or tablet at work (which is often) This will be a lot faster than trying to do it through the store or browser. One simple cmd line. Elegant.
Its kewl
So if I interpret it correctly, these LOLBAS things are like syskey.exe in the past?
Probs malware...well, someone was going to say it eventually.
sixth comment posted here
i was watching ...
Okay, i am first
He uses PowerShell instead of cmd. Is there any reason as to why?
winget is powershell native
@@sahilsinhahhh8329 winget is not part of PowerShell; it is an executable and can be run from cmd, or any other way to run an executable. (It is located in C:\Users\%username%\AppData\Local\Microsoft\WindowsApps\ on my system)
Probably because powershell is more similar to the linux terminals he's used to than command prompt is
@@1stAshaMan I noticed a difference even with the dir command. cmd just shows directories. PowerShell displays permissions and the last time a folder was accessed. I might switch lol
@@DayzGone Agreed. The only thing is that I'm familiar with Linux ls and cmd.exe dir, so it will take some learning
why have winget download and execute the virus if you have a shell already? why not do it yourself?
There no audio