Winget Admin Settings Modification

Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks

Sigma rule (View on GitHub)

 1title: Winget Admin Settings Modification
 2id: 6db5eaf9-88f7-4ed9-af7d-9ef2ad12f236
 3status: experimental
 4description: Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks
 5references:
 6    - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
 7    - https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023/04/17
10modified: 2023/08/17
11tags:
12    - attack.defense_evasion
13    - attack.persistence
14logsource:
15    product: windows
16    category: registry_set
17detection:
18    selection:
19        Image|endswith: '\winget.exe'
20        TargetObject|startswith: '\REGISTRY\A\'
21        TargetObject|endswith: '\LocalState\admin_settings'
22    condition: selection
23falsepositives:
24    - The event doesn't contain information about the type of change. False positives are expected with legitimate changes
25level: low

References

Related rules

to-top