https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-03-03 14:06:492026-03-03 14:06:491.2 Million Affected by University of Hawaii Cancer Center Data Breach
Researchers have uncovered a Wi-Fi vulnerability that allows nearby attackers to intercept sensitive data and execute machine-in-the-middle attacks against connected devices.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-03-03 14:06:482026-03-03 14:06:48New ‘AirSnitch’ Attack Shows Wi-Fi Client Isolation Could be a False Sense of Security
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-03-03 13:06:562026-03-03 13:06:56AI Agent Overload: How to Solve the Workload Identity Crisis
Europol’s Project Compass targets The Com (aka 764 network), an online group exploiting minors. After 30 arrests, officials say the hunt for those involved is far from over.
Hackread – Cybersecurity News, Data Breaches, AI and More – Read More
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-03-03 13:06:552026-03-03 13:06:55Project Compass Targets 764 Network as 30 Arrested and Victims Rescued
Cybersecurity researchers have disclosed details of a new phishing suite called Starkiller that proxies legitimate login pages to bypass multi-factor authentication (MFA) protections.
It’s advertised as a cybercrime platform by a threat group calling itself Jinkusu, granting customers access to a dashboard that lets them select a brand to impersonate or enter a brand’s real URL. It also lets
The Rise of MCPs in the Enterprise
The Model Context Protocol (MCP) is quickly becoming a practical way to push LLMs from “chat” into real work. By providing structured access to applications, APIs, and data, MCP enables prompt-driven AI agents that can retrieve information, take action, and automate end-to-end business workflows across the enterprise. This is already showing up in production
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-03-03 12:06:302026-03-03 12:06:30AI Agents: The Next Wave Identity Dark Matter – Powerful, Invisible, and Unmanaged
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2026-03-03 11:06:432026-03-03 11:06:43Vulnerability in MS-Agent AI Framework Can Allow Full System Compromise
TL;DR: While not new, a self-referencing LNK file in combination with winget configuration instructions can be a viable initial access payload for environments where the Microsoft Store is not disabled.
When tasked to design a payload for an initial access scenario for a red teaming project, we typically look for inspiration in:
That is when my colleague Sylvain noticed the .winget extension mapped to the following command, allowing easy execution with a double click:
winget.exe configure "%1" --wait
While the abuse potential of winget is not new, it seems to be largely neglected by the defensive security community. This is also indicated by its absence from the aforementioned dangerous file block lists. A reason might be that the legitimate functionality is actively promoted by Microsoft to install e.g., developer dependencies in a streamlined way:
From an offensive security perspective it is convenient that the Mark of the Web (MoTW) is not taken into consideration and no SmartScreen integration seems to exist.
Quick Introduction
So what is the winget configuration functionality? It is built upon (PowerShell) Desired State Configuration (DSC) a declarative system configuration management platform. If you are familiar with Ansible, similar concepts apply where individual, ideally idempotent, configuration steps should result in a consistent system state.
The configure component requires extended features, which if needed, can be enabled from a low-privileged user context with:
winget configure --enable
The default resources facilitate access to environment variables and the registry, support archive extraction and process creation as well as PowerShell script execution. More than enough functionality to phish for persistence using one of the numerous techniques. As a basic example the following configuration file downloads and runs Sysinternals’ Process Explorer:
From an offensive security perspective winget is a nice proxy for PowerShell execution using legitimate system functionality intended for configuration tasks. The underlying system changes are performed by the ConfigurationRemotingServer.exe process. This has some similarities to scripts being deployed using SCCM where they are executed through CcmExec.exe and often less scrutinized. If needed, all referenced PowerShell resources are automatically downloaded from the PowerShell Gallery and stored in %LOCALAPPDATA%MicrosoftWinGetConfigurationModules.
From an end-user point of view double clicking such a .winget file looks as follows:
Standard behavior when opening a .winget file.
When attempting to convince a phishing target to execute such a payload, there are a number of undesirable properties:
The user has to explicitly confirm the installation by entering Y (or y, case does not matter)
There is lots of confusing text being displayed
Due to the --wait command line option, the console application remains open after execution
Reducing Required User Interaction
Explicit user input can be avoided by either:
Launching winget with the option --accept-configuration-agreements
Supplying the required confirmation input in some other form e.g., echo y | winget ...
The output can be suppressed by redirecting it to >nul.
All these options require direct control of the winget invocation which means the configuration file can no longer be used on its own, but needs to be applied through some trigger file. The most obvious approach is to use a LNK shortcut. This replaces the need for interactive keyboard input with an additional MoTW related security warning dialog which end users are hopefully more likely to accept. Because winget also applies configurations hosted on web servers, the first attempt was to use a shortcut executing:
Extracts the appended winget configuration data using more
Shows a decoy document to distract the user
Executes winget with the required options in the background
To locate the delivered LNK file, we assume that the user either extracted the ZIP archive in the downloads folder or simply opened the archive. In the latter case Windows extracts the selected file to a temporary directory such as: %TMP%2af79810-65c9-4d8d-8a63-5f003ab362c8_update.zip.2c8update.lnk.
Combining steps 1-4 from the above list, results in a shortcut like:
At this point I thought there is no chance that this would fly past a modern EDR.
Predicting how modern EDR systems react is hard
For Microsoft Defender for Endpoint (MDE) it seems to be important that the size of the LNK file as a whole i.e., with the appended data is kept as small as possible. Otherwise alerts such as the one below are generated:
MDE does not seem to like large LNK files
Some practical tips from my limited experience:
Keep the shortcut command line as short as possible, do not exceed ~250 characters
Instead of winget configure use the alias winget dsc
The file extension does not matter: instead of .winget just use .yml or omit it completely
To speed up the configuration process use a single PowerShell script resource
Use commands that map to compiled .NET cmdlets or use APIs such as [System.IO.Compression.ZipFile]::ExtractToDirectory instead of Expand-Archive to avoid the creation of an additional powershell.exe process
Avoid double file extensions like .pdf.lnk
If you encounter an issue on system where extended features are not enabled, add a small delay using e.g. timeout /t 1
If you face a brittle detection on the echo Y | ... construct, use something else like echo y > x & type x | ... or apply slight DOSfuscation
Add more benign files in nested folder structures of the delivered ZIP file
If you are using the standalone winget approach, pad the first 5 lines of your PowerShell script in the configuration file with comments matching your pre-text
End user experience on a system with extended features already enabled. The winget command runs in the background within a minimized console window.
This technique can also be combined with other LNK related tradecraft to hide the executed commands from a curious user when inspecting the shortcut properties.
Detection
To check whether the feature is (ab)used in your environment you can try to run the following KQL query which lists all winget configure invocations. It is important that the substring matching is performed case insensitively:
DeviceProcessEvents
| where FileName =~ "winget.exe"
| where ProcessCommandLine has_any ("configure", "configuration", "dsc")
On affected machines applied configurations and their origin can be listed with:
winget configure list
Furthermore, winget logs all performed invocations in a directory opened by winget --logs. By default the execution time and the used command line arguments are recorded. If the logging verbosity is increased through the configuration file opened by winget settings, the complete configuration instructions and execution of individual steps are also logged.
Remediation
Assuming the winget functionality is not needed at all, the attack surface can be mitigated by disabling the complete Microsoft Store or more specifically the Windows Package Manager (winget) through the EnableAppInstaller policy. General application whitelisting solutions such as Windows Defender Application Control (WDAC) provide another way to prevent execution.
If the Windows package manager is needed, the configuration sub command described in this blog can be individually disabled with the EnableWindowsPackageManagerConfiguration policy directive.
Different error modes depending on whether the store application, the package manager (winget) or its configuration feature is disabled.
If for whatever reason this is not possible, then consider to at least remove the .winget file association. While this does not prevent the LNK shenanigans, it removes the possibility to execute configuration files by simple double clicking them, thereby increasing the required social engineering effort.
Conclusion
We presented a viable initial access payload by chaining two known techniques: winget as a living off the land binary to invoke PowerShell scripts and self-referencing Windows shortcuts as a combined delivery and execution mechanism.
Whenever possible defenders should reduce the attack surface of their systems by disabling unused Windows components and features such as the Microsoft Store, the Windows Package Manager (winget) or its configuration feature.