Detection rules › Sigma

Winget Admin Settings Modification

Status
test
Severity
low
Author
Nasreddine Bencherchali (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks

Event coverage

ProviderEventTitle
SysmonEvent ID 13RegistryEvent (Value Set)

Rule body yaml

title: Winget Admin Settings Modification
id: 6db5eaf9-88f7-4ed9-af7d-9ef2ad12f236
status: test
description: Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks
references:
    - https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
    - https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-17
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-impairment
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        Image|endswith: '\winget.exe'
        TargetObject|startswith: '\REGISTRY\A\'
        TargetObject|endswith: '\LocalState\admin_settings'
    condition: selection
falsepositives:
    - The event doesn't contain information about the type of change. False positives are expected with legitimate changes
level: low

Stages and Predicates

Stage 0: condition

selection

Stage 1: selection

selection:
    Image|endswith: '\winget.exe'
    TargetObject|startswith: '\REGISTRY\A\'
    TargetObject|endswith: '\LocalState\admin_settings'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \winget.exe corpus 5 (sigma 5)
TargetObjectends_with
  • \LocalState\admin_settings
TargetObjectstarts_with
  • \REGISTRY\A\