search

Weatherlights / Winget-AutoUpdate-Intune

WAUaaS daily updates apps as system and notify users. WAUaaS brings you WAU in a service like pattern that can be deployed and configured by Microsoft Intune (or other MDM solutions).
MIT License
158 stars 8 forks source link

[Bug]: Suspicious Indicators Detected By Falcon Sandbox - Anti-Detection/Stealthyness #44

Closed amandarino-tei closed 3 weeks ago

amandarino-tei commented 2 months ago

The problem

Please advise on the below Suspicious Indicator detected by Falcon Sandbox regarding the "Winget-AutoUpdate-Install.ps1" script: http://www.hybrid-analysis.com/sample/b69b120f2d61b33f1c473f19f13901710adb4dd25143b1534e9a9d068a0dcf96/66a29dcebc9be41b2d06d035

Suspicious Indicators 1 Anti-Detection/Stealthyness Queries process information details "powershell.exe" queried SystemProcessInformation at 00000000-00000588-00000C13-707602295 [PID: 588] "powershell.exe" queried SystemProcessInformation at 00000000-00000588-00000C13-707611874 [PID: 588] "powershell.exe" queried SystemProcessInformation at 00000000-00000588-00000C13-708532734 [PID: 588] "powershell.exe" queried SystemProcessInformation at 00000000-00000588-00000C13-708541292 [PID: 588] "powershell.exe" queried SystemProcessInformation at 00000000-00000588-00000C13-711211484 [PID: 588] "powershell.exe" queried SystemProcessInformation at 00000000-00000588-00000C13-711219226 [PID: 588] "powershell.exe" queried SystemProcessInformation at 00000000-00000588-00000C13-711695393 [PID: 588] "powershell.exe" queried SystemProcessInformation at 00000000-00000588-00000C13-711706959 [PID: 588] "powershell.exe" queried SystemProcessInformation at 00000000-00000588-00000C13-712329297 [PID: 588] "powershell.exe" queried SystemProcessInformation at 00000000-00000588-00000C13-713093616 [PID: 588] "powershell.exe" queried SystemProcessInformation at 00000000-00000588-00000C13-713102253 [PID: 588] "powershell.exe" queried SystemProcessInformation at 00000000-00000588-00000C13-715869053 [PID: 588] "powershell.exe" queried SystemProcessInformation at 00000000-00000588-00000C13-715878504 [PID: 588] "cmd.exe" queried SystemProcessInformation at 00000000-00004544-00000C13-714966120 [PID: 4544] "cmd.exe" queried SystemProcessInformation at 00000000-00004544-00000C13-714975293 [PID: 4544] "cmd.exe" queried SystemProcessInformation at 00000000-00004544-00000C13-715313267 [PID: 4544] "cmd.exe" queried SystemProcessInformation at 00000000-00004544-00000C13-715321267 [PID: 4544] source API Call relevance 4/10 ATT&CK ID T1057 (Show technique in the MITRE ATT&CK™ matrix)

Thanks in advance!

What version of WAU has the issue?

Latest

What version of Windows are you using (ex. Windows 11 22H2)?

Windows 10 64 bit, Professional, 10.0 (build 16299), Report generated by Falcon Sandbox © Hybrid Analysis

What version of winget are you using?

N/A

Log information

No response

Additional information

No response

github-actions[bot] commented 1 month ago

This issue is stale because it has been open for 30 days with no activity.

github-actions[bot] commented 3 weeks ago

This issue was closed because it has been inactive for 14 days since being marked as stale.