Winget Admin Settings Modification

 1title: Winget Admin Settings Modification
 2id: 6db5eaf9-88f7-4ed9-af7d-9ef2ad12f236
 3status: test
 4description: Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks
 5references:
 6    - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
 7    - https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023-04-17
10modified: 2023-08-17
11tags:
12    - attack.defense-evasion
13    - attack.persistence
14logsource:
15    product: windows
16    category: registry_set
17detection:
18    selection:
19        Image|endswith: '\winget.exe'
20        TargetObject|startswith: '\REGISTRY\A\'
21        TargetObject|endswith: '\LocalState\admin_settings'
22    condition: selection
23falsepositives:
24    - The event doesn't contain information about the type of change. False positives are expected with legitimate changes
25level: low

References

• Misc-Research/LOLBINs/Winget at b9596e8109dcdb16ec353f316678927e507a5b8d · nasbench/Misc-Research

  

  A collection of tools, scripts and personal research - nasbench/Misc-Research

  
  Read More

• winget-cli/src/AppInstallerCommonCore/Public/winget/AdminSettings.h at 02d2f93807c9851d73eaacb4d8811a76b64b7b01 · microsoft/winget-cli

  

  WinGet is the Windows Package Manager. This project includes a CLI (Command Line Interface), PowerShell modules, and a COM (Component Object Model) API (Application Programming Interface). - micros...

  
  Read More

Related rules

• Abuse of Service Permissions to Hide Services Via Set-Service
• Abuse of Service Permissions to Hide Services Via Set-Service - PS
• Account Tampering - Suspicious Failed Logon Reasons
• Activity From Anonymous IP Address
• Application Using Device Code Authentication Flow