Enable Local Manifest Installation With Winget

Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.

Sigma rule (View on GitHub)

 1title: Enable Local Manifest Installation With Winget
 2id: fa277e82-9b78-42dd-b05c-05555c7b6015
 3status: test
 4description: Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.
 5references:
 6    - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/04/17
 9modified: 2023/08/17
10tags:
11    - attack.defense_evasion
12    - attack.persistence
13logsource:
14    product: windows
15    category: registry_set
16detection:
17    selection:
18        TargetObject|endswith: '\AppInstaller\EnableLocalManifestFiles'
19        Details: 'DWORD (0x00000001)'
20    condition: selection
21falsepositives:
22    - Administrators or developers might enable this for testing purposes or to install custom private packages
23level: medium

References

Related rules

to-top