Enable Local Manifest Installation With Winget

Aug 17, 2023 · attack.defense_evasion attack.persistence ·

Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.

Sigma rule (View on GitHub)

 1title: Enable Local Manifest Installation With Winget
 2id: fa277e82-9b78-42dd-b05c-05555c7b6015
 3status: experimental
 4description: Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.
 5references:
 6    - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/04/17
 9modified: 2023/08/17
10tags:
11    - attack.defense_evasion
12    - attack.persistence
13logsource:
14    product: windows
15    category: registry_set
16detection:
17    selection:
18        TargetObject|endswith: '\AppInstaller\EnableLocalManifestFiles'
19        Details: 'DWORD (0x00000001)'
20    condition: selection
21falsepositives:
22    - Administrators or developers might enable this for testing purposes or to install custom private packages
23level: medium

References

Misc-Research/LOLBINs/Winget at b9596e8109dcdb16ec353f316678927e507a5b8d · nasbench/Misc-Research

A collection of tools, scripts and personal research - nasbench/Misc-Research

Read More

Enable Local Manifest Installation With Winget

Sigma rule (View on GitHub)

References

Misc-Research/LOLBINs/Winget at b9596e8109dcdb16ec353f316678927e507a5b8d · nasbench/Misc-Research

Related rules