Potential Signing Bypass Via Windows Developer Features
Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
Sigma rule (View on GitHub)
1title: Potential Signing Bypass Via Windows Developer Features
2id: a383dec4-deec-4e6e-913b-ed9249670848
3related:
4 - id: b110ebaf-697f-4da1-afd5-b536fa27a2c1
5 type: similar
6status: test
7description: Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
8references:
9 - Internal Research
10 - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023-01-11
13tags:
14 - attack.defense-evasion
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 - Image|endswith: '\SystemSettingsAdminFlows.exe'
21 - OriginalFileName: 'SystemSettingsAdminFlows.EXE'
22 selection_flag:
23 CommandLine|contains: 'TurnOnDeveloperFeatures'
24 selection_options:
25 CommandLine|contains:
26 - 'DeveloperUnlock'
27 - 'EnableSideloading'
28 condition: all of selection_*
29falsepositives:
30 - Unknown
31level: high
References
-
Learn how threat actors manipulate Windows to install malicious apps that are trusted by the system, and how to defend against them.
Read More
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity