Detects when the enablement of developer features such as “Developer Mode” or “Application Sideloading”. Which allows the user to install untrusted packages.
title: Potential Signing Bypass Via Windows Developer Features - Registry
id: b110ebaf-697f-4da1-afd5-b536fa27a2c1
related:
- id: a383dec4-deec-4e6e-913b-ed9249670848
type: similar
status: test
description: Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
references:
- https://twitter.com/malmoeb/status/1560536653709598721
- https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-12
modified: 2023-08-17
tags:
- attack.stealth
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Microsoft\Windows\CurrentVersion\AppModelUnlock'
- '\Policies\Microsoft\Windows\Appx\'
TargetObject|endswith:
- '\AllowAllTrustedApps'
- '\AllowDevelopmentWithoutDevLicense'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unknown
level: high
imRegistry
| where (RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock" or RegistryKey endswith "\\Policies\\Microsoft\\Windows\\Appx*") and (RegistryKey endswith "\\AllowAllTrustedApps" or RegistryKey endswith "\\AllowDevelopmentWithoutDevLicense") and RegistryValueData =~ "DWORD (0x00000001)"DeviceRegistryEvents
| where (RegistryKey contains "\\Microsoft\\Windows\\CurrentVersion\\AppModelUnlock" or RegistryKey endswith "\\Policies\\Microsoft\\Windows\\Appx*") and (RegistryKey endswith "\\AllowAllTrustedApps" or RegistryKey endswith "\\AllowDevelopmentWithoutDevLicense") and RegistryValueData =~ "DWORD (0x00000001)"| Sentinel Table | Notes |
|---|---|
imRegistry | Ensure this data connector is enabled |