← All stories

Black Hills InfoSec

Microsoft Store and WinGet: Security Risks for Corporate Environments

BHIS · 2025-09-10 · Read original ↗

ATT&CK techniques detected

5 predictions

T1572Protocol Tunneling

99%

"offline copy of the active directory database that can be analyzed offline or parsed and imported into bloodhound. microsoft dev tunnel client the microsoft dev tunnel client can be installed via winget, as illustrated above. the dev tunnel client is intended to allow developers …"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1572Protocol Tunneling

98%

"ssh command above sets up a remote port forward that can be used to force network traffic across the tunnel, through the compromised system, and onto the target network. since the ssh connection targets the localhost ( 127. 0. 0. 1 ) ip address, some security tools ignore the tra…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1505.001SQL Stored Procedures

72%

"attacker requests remote control of the computer to perform their malicious activities. with the right pretext, this ruse is often very effective. dbeaver community edition ( ce ) attackers and malicious users who have gained remote control of a system are likely to search for op…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1187Forced Authentication

63%

"server versions. as a result, we will focus on executing an attack with dbeaver using one of the other extended stored procedures, xp _ dirtree. the xp _ dirtree procedure simply lists the contents of a given file path, which can be local or a universal naming convention ( unc ) …"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1204.002Malicious File

44%

". once the desired package is identified, it can be installed using either the name or id in the search results with the winget install command. in the image below, the microsoft dev tunnels client is installed. hopefully, by now you realize that the microsoft store and winget ca…"

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

The Microsoft Store provides a convenient mechanism to install software without needing administrator permissions. The feature is convenient for non-corporate and home users but is unlikely to be acceptable in corporate environments. This is because attackers and malicious employees can use the Microsoft Store to install software that might violate organizational policy.

The post Microsoft Store and WinGet: Security Risks for Corporate Environments appeared first on Black Hills Information Security, Inc..