sigmaDRL-1.1from SigmaHQ/sigma
Potential Signing Bypass Via Windows Developer Features - Registry
Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
Quality
98
FP risk
—
Forks
0
Views
0
Rule sourcerules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml
title: Potential Signing Bypass Via Windows Developer Features - Registry
id: b110ebaf-697f-4da1-afd5-b536fa27a2c1
related:
- id: a383dec4-deec-4e6e-913b-ed9249670848
type: similar
status: test
description: Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
references:
- https://twitter.com/malmoeb/status/1560536653709598721
- https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-12
modified: 2023-08-17
tags:
- attack.defense-evasion
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Microsoft\Windows\CurrentVersion\AppModelUnlock'
- '\Policies\Microsoft\Windows\Appx\'
TargetObject|endswith:
- '\AllowAllTrustedApps'
- '\AllowDevelopmentWithoutDevLicense'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unknown
level: high