feat: add new reg variant of dev mode

rules/windows/process_creation/proc_creation_win_turn_on_dev_features.yml

@@ -1,5 +1,8 @@
 title: Potential Signing Bypass Via Windows Developer Features
 id: a383dec4-deec-4e6e-913b-ed9249670848
+related:
+    - id: b110ebaf-697f-4da1-afd5-b536fa27a2c1
+      type: similar
 status: experimental
 description: Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
 references:

rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml

@@ -0,0 +1,31 @@
+title: Potential Signing Bypass Via Windows Developer Features - Registry
+id: b110ebaf-697f-4da1-afd5-b536fa27a2c1
+related:
+    - id: a383dec4-deec-4e6e-913b-ed9249670848
+      type: similar
+status: experimental
+description: Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
+references:
+    - https://twitter.com/malmoeb/status/1560536653709598721
+    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
+author: Nasreddine Bencherchali
+date: 2023/01/12
+tags:
+    - attack.defense_evasion
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        EventType: SetValue
+        TargetObject|contains:
+            - '\Microsoft\Windows\CurrentVersion\AppModelUnlock'
+            - '\Policies\Microsoft\Windows\Appx\'
+        TargetObject|endswith:
+            - '\AllowAllTrustedApps'
+            - '\AllowDevelopmentWithoutDevLicense'
+        Details: 'DWORD (0x00000001)'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high