Merge pull request #3912 from nasbench/nasbench-rule-devel

feat: more appx rules updates

rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml

@@ -1,13 +1,14 @@
-title: Malicious AppX Package Installed
+title: Potential Malicious AppX Package Installation Attempts
 id: 09d3b48b-be17-47f5-bf4e-94e7e75d09ce
 status: experimental
-description: Detects installation of known malicious appx packages
+description: Detects potential installation or installation attempts of known malicious appx packages
 references:
     - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
     - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
     - https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/
 author: Nasreddine Bencherchali
 date: 2023/01/11
+modified: 2023/01/12
 tags:
     - attack.defense_evasion
 logsource:
@@ -15,7 +16,9 @@ logsource:
     service: appxdeployment-server
 detection:
     selection:
-        EventID: 401
+        EventID:
+            - 400
+            - 401
         # Add more malicious package names
         # TODO: Investigate the packages here https://github.com/sophoslabs/IoCs/blob/master/Troj-BazarBackdoor.csv based on this report https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
         PackageFullName|contains: '3669e262-ec02-4e9d-bcb4-3d008b4afac9'

rules/windows/process_creation/proc_creation_win_turn_on_dev_features.yml

@@ -1,5 +1,8 @@
 title: Potential Signing Bypass Via Windows Developer Features
 id: a383dec4-deec-4e6e-913b-ed9249670848
+related:
+    - id: b110ebaf-697f-4da1-afd5-b536fa27a2c1
+      type: similar
 status: experimental
 description: Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
 references:

rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml

@@ -0,0 +1,31 @@
+title: Potential Signing Bypass Via Windows Developer Features - Registry
+id: b110ebaf-697f-4da1-afd5-b536fa27a2c1
+related:
+    - id: a383dec4-deec-4e6e-913b-ed9249670848
+      type: similar
+status: experimental
+description: Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
+references:
+    - https://twitter.com/malmoeb/status/1560536653709598721
+    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
+author: Nasreddine Bencherchali
+date: 2023/01/12
+tags:
+    - attack.defense_evasion
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        EventType: SetValue
+        TargetObject|contains:
+            - '\Microsoft\Windows\CurrentVersion\AppModelUnlock'
+            - '\Policies\Microsoft\Windows\Appx\'
+        TargetObject|endswith:
+            - '\AllowAllTrustedApps'
+            - '\AllowDevelopmentWithoutDevLicense'
+        Details: 'DWORD (0x00000001)'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high