Winget Admin Settings Modification
Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks
Sigma rule (View on GitHub)
1title: Winget Admin Settings Modification
2id: 6db5eaf9-88f7-4ed9-af7d-9ef2ad12f236
3status: experimental
4description: Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks
5references:
6 - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
7 - https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023/04/17
10modified: 2023/08/17
11tags:
12 - attack.defense_evasion
13 - attack.persistence
14logsource:
15 product: windows
16 category: registry_set
17detection:
18 selection:
19 Image|endswith: '\winget.exe'
20 TargetObject|startswith: '\REGISTRY\A\'
21 TargetObject|endswith: '\LocalState\admin_settings'
22 condition: selection
23falsepositives:
24 - The event doesn't contain information about the type of change. False positives are expected with legitimate changes
25level: low
References
Related rules
- Enable Local Manifest Installation With Winget
- Persistence Via New SIP Provider
- Winlogon AllowMultipleTSSessions Enable
- Potential CCleanerDU.DLL Sideloading
- Potential CCleanerReactivator.DLL Sideloading