From 90c1e45d838fd5bcd7f2af925bb318fa4e94a058 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Thu, 12 Jan 2023 15:05:53 +0100
Subject: [PATCH 1/3] feat: add new reg variant of dev mode

---
 ...proc_creation_win_turn_on_dev_features.yml |  3 ++
 .../registry_set_turn_on_dev_features.yml     | 31 +++++++++++++++++++
 2 files changed, 34 insertions(+)
 create mode 100644 rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml

diff --git a/rules/windows/process_creation/proc_creation_win_turn_on_dev_features.yml b/rules/windows/process_creation/proc_creation_win_turn_on_dev_features.yml
index 408d48a90..4cd1b2a77 100644
--- a/rules/windows/process_creation/proc_creation_win_turn_on_dev_features.yml
+++ b/rules/windows/process_creation/proc_creation_win_turn_on_dev_features.yml
@@ -1,5 +1,8 @@
 title: Potential Signing Bypass Via Windows Developer Features
 id: a383dec4-deec-4e6e-913b-ed9249670848
+related:
+    - id: b110ebaf-697f-4da1-afd5-b536fa27a2c1
+      type: similar
 status: experimental
 description: Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
 references:
diff --git a/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml b/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml
new file mode 100644
index 000000000..e4240e42c
--- /dev/null
+++ b/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml
@@ -0,0 +1,31 @@
+title: Potential Signing Bypass Via Windows Developer Features - Registry
+id: b110ebaf-697f-4da1-afd5-b536fa27a2c1
+related:
+    - id: a383dec4-deec-4e6e-913b-ed9249670848
+      type: similar
+status: experimental
+description: Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
+references:
+    - https://twitter.com/malmoeb/status/1560536653709598721
+    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
+author: Nasreddine Bencherchali
+date: 2023/01/12
+tags:
+    - attack.defense_evasion
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        EventType: SetValue
+        TargetObject|contains:
+            - '\Microsoft\Windows\CurrentVersion\AppModelUnlock'
+            - '\Policies\Microsoft\Windows\Appx\'
+        TargetObject|endswith:
+            - '\AllowAllTrustedApps'
+            - '\AllowDevelopmentWithoutDevLicense'
+        Details: 'DWORD (0x00000001)'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

From 9a671e25d94660e25b9527d5ebe8fca8d1975b12 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Thu, 12 Jan 2023 15:12:20 +0100
Subject: [PATCH 2/3] fix: add missing eid 400

---
 .../appxdeployment_server_mal_appx_names.yml                 | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml
index 7fee46f14..6b3221c82 100644
--- a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml
+++ b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml
@@ -8,6 +8,7 @@ references:
     - https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/
 author: Nasreddine Bencherchali
 date: 2023/01/11
+modified: 2023/01/12
 tags:
     - attack.defense_evasion
 logsource:
@@ -15,7 +16,9 @@ logsource:
     service: appxdeployment-server
 detection:
     selection:
-        EventID: 401
+        EventID:
+            - 400
+            - 401
         # Add more malicious package names
         # TODO: Investigate the packages here https://github.com/sophoslabs/IoCs/blob/master/Troj-BazarBackdoor.csv based on this report https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
         PackageFullName|contains: '3669e262-ec02-4e9d-bcb4-3d008b4afac9'

From a5df41cf3936b53ea2fc43b002725fa13cd50b44 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Thu, 12 Jan 2023 15:49:40 +0100
Subject: [PATCH 3/3] fix: update title and description

---
 .../appxdeployment_server_mal_appx_names.yml                  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml
index 6b3221c82..519c9f7b7 100644
--- a/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml
+++ b/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml
@@ -1,7 +1,7 @@
-title: Malicious AppX Package Installed
+title: Potential Malicious AppX Package Installation Attempts
 id: 09d3b48b-be17-47f5-bf4e-94e7e75d09ce
 status: experimental
-description: Detects installation of known malicious appx packages
+description: Detects potential installation or installation attempts of known malicious appx packages
 references:
     - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
     - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/