Potential Signing Bypass Via Windows Developer Features - Registry
Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
Sigma rule (View on GitHub)
1title: Potential Signing Bypass Via Windows Developer Features - Registry
2id: b110ebaf-697f-4da1-afd5-b536fa27a2c1
3related:
4 - id: a383dec4-deec-4e6e-913b-ed9249670848
5 type: similar
6status: test
7description: Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
8references:
9 - https://twitter.com/malmoeb/status/1560536653709598721
10 - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023-01-12
13modified: 2023-08-17
14tags:
15 - attack.defense-evasion
16logsource:
17 category: registry_set
18 product: windows
19detection:
20 selection:
21 TargetObject|contains:
22 - '\Microsoft\Windows\CurrentVersion\AppModelUnlock'
23 - '\Policies\Microsoft\Windows\Appx\'
24 TargetObject|endswith:
25 - '\AllowAllTrustedApps'
26 - '\AllowDevelopmentWithoutDevLicense'
27 Details: 'DWORD (0x00000001)'
28 condition: selection
29falsepositives:
30 - Unknown
31level: high
References
-
Learn how threat actors manipulate Windows to install malicious apps that are trusted by the system, and how to defend against them.
Read More
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity