Detectionlowtest

Winget Admin Settings Modification

Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Mon Apr 17Updated Thu Aug 176db5eaf9-88f7-4ed9-af7d-9ef2ad12f236windows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    selection:
        Image|endswith: '\winget.exe'
        TargetObject|startswith: '\REGISTRY\A\'
        TargetObject|endswith: '\LocalState\admin_settings'
    condition: selection

False Positives

The event doesn't contain information about the type of change. False positives are expected with legitimate changes

References

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0003 · Persistence

Rule Metadata

Rule ID

6db5eaf9-88f7-4ed9-af7d-9ef2ad12f236

Status

test

Level

low

Type

Detection

Created

Mon Apr 17

Modified

Thu Aug 17

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/registry/registry_set/registry_set_winget_admin_settings_tampering.yml

Raw Tags

attack.defense-evasionattack.persistence

View on GitHub