Addition to winget.exe: AWL/Applocker Bypass on executables(like sysinternals) with winget.exe

[FredCyberSecurity]

Hello.

A addition to winget.exe (https://lolbas-project.github.io/lolbas/Binaries/Winget/)

You have listed Execute and Download as categories.

This is also a AWL (Applocker) Bypass.

Since winget.exe is auto elevating and install packages under ProgramFiles/WindowsApps, this bypasses a Deny rule on executables in Applocker.
The default rule allows programs to run under the ProgramFiles folder(where winget put it's packages).

Poc:

1. Set up a Deny Policy on a sysinternal executable in Applocker
2. Open cmd as a standard user and use winget with the following command, to download and install sysinternals: winget install 9P7KNL5RWT25
3. Navigate to the tools folder of WindowsApps sysinternals: C:\Program Files\WindowsApps\Microsoft.SysinternalsSuite_2024.12.0.0_x64__8wekyb3d8bbwe\tools
4. Execute the .exe of one of the sysinternals that has a deny rule in Applocker
5. It will execute and run the .exe

Video PoC:
https://www.youtube.com/watch?v=zuL7x4Wltto

ALSO the --location switch (if supported) or -i in winget - can potentially install programs and executables in other whitelisted folders in Applocker.

Let me know what you think!

[wietze]

Hey, cool find! The PoC video really helped bringing it to live, thanks.

It is probably worth adding another entry to https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Winget.yml with Category set to AWL bypass with your finding. Similar to the existing Download one, it should be kept generic, with SysInternals used as an example.