Potential Signing Bypass Via Windows Developer Features - Registry

Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.

Sigma rule (View on GitHub)

 1title: Potential Signing Bypass Via Windows Developer Features - Registry
 2id: b110ebaf-697f-4da1-afd5-b536fa27a2c1
 3related:
 4    - id: a383dec4-deec-4e6e-913b-ed9249670848
 5      type: similar
 6status: test
 7description: Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
 8references:
 9    - https://twitter.com/malmoeb/status/1560536653709598721
10    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023-01-12
13modified: 2023-08-17
14tags:
15    - attack.defense-evasion
16logsource:
17    category: registry_set
18    product: windows
19detection:
20    selection:
21        TargetObject|contains:
22            - '\Microsoft\Windows\CurrentVersion\AppModelUnlock'
23            - '\Policies\Microsoft\Windows\Appx\'
24        TargetObject|endswith:
25            - '\AllowAllTrustedApps'
26            - '\AllowDevelopmentWithoutDevLicense'
27        Details: 'DWORD (0x00000001)'
28    condition: selection
29falsepositives:
30    - Unknown
31level: high

References

Related rules

to-top