heroui logo

Potential Signing Bypass Via Windows Developer Features - Registry

Sigma Rules

View Source
Summary
This detection rule is designed to identify potential security risks associated with the enforcement of Windows Developer Features, such as "Developer Mode" and "Application Sideloading." These features may allow users to install untrusted applications that could pose security threats. The rule monitors specific registry modifications, particularly around the paths related to AppModelUnlock and Appx policies. When changes are detected that indicate the enabling of these features, it flags it as a high-level threat due to the potential for abuse in bypassing standard application signing processes. The configuration checks for specific DWORD registry values set to '1', signaling explicit permission for installing non-signed applications. The intent is to alert security teams of configurations that could lead to unauthorized software installations and elevated risk of malware deployments.
Categories
  • Windows
  • Endpoint
Data Sources
  • Windows Registry
Created: 2023-01-12