heroui logo

Enable Local Manifest Installation With Winget

Sigma Rules

View Source
Summary
This detection rule monitors changes to the AppInstaller (winget) policy on Windows systems, specifically tracking the activation of local manifest installations. Enabling local manifest installs allows users to install applications via custom manifests, which can be exploited for malicious purposes if not controlled. The rule checks for changes in the Windows Registry where the specific target object indicates the enabling of local manifest installations. The expected value to trigger the detection is a DWORD set to 1 (0x00000001), which signifies that this capability has been enabled. The potential for abuse is notable, and thus, it is crucial for organizations to monitor such changes carefully to prevent unauthorized installations of software through custom manifests. False positives may arise when system administrators or developers enable this feature for legitimate testing or development purposes, hence review processes should be established to confirm the intent behind such changes.
Categories
  • Endpoint
  • Windows
Data Sources
  • Windows Registry
Created: 2023-04-17