From 90c1e45d838fd5bcd7f2af925bb318fa4e94a058 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Thu, 12 Jan 2023 15:05:53 +0100
Subject: [PATCH] feat: add new reg variant of dev mode

---
 ...proc_creation_win_turn_on_dev_features.yml |  3 ++
 .../registry_set_turn_on_dev_features.yml     | 31 +++++++++++++++++++
 2 files changed, 34 insertions(+)
 create mode 100644 rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml

diff --git a/rules/windows/process_creation/proc_creation_win_turn_on_dev_features.yml b/rules/windows/process_creation/proc_creation_win_turn_on_dev_features.yml
index 408d48a90..4cd1b2a77 100644
--- a/rules/windows/process_creation/proc_creation_win_turn_on_dev_features.yml
+++ b/rules/windows/process_creation/proc_creation_win_turn_on_dev_features.yml
@@ -1,5 +1,8 @@
 title: Potential Signing Bypass Via Windows Developer Features
 id: a383dec4-deec-4e6e-913b-ed9249670848
+related:
+    - id: b110ebaf-697f-4da1-afd5-b536fa27a2c1
+      type: similar
 status: experimental
 description: Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
 references:
diff --git a/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml b/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml
new file mode 100644
index 000000000..e4240e42c
--- /dev/null
+++ b/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml
@@ -0,0 +1,31 @@
+title: Potential Signing Bypass Via Windows Developer Features - Registry
+id: b110ebaf-697f-4da1-afd5-b536fa27a2c1
+related:
+    - id: a383dec4-deec-4e6e-913b-ed9249670848
+      type: similar
+status: experimental
+description: Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
+references:
+    - https://twitter.com/malmoeb/status/1560536653709598721
+    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
+author: Nasreddine Bencherchali
+date: 2023/01/12
+tags:
+    - attack.defense_evasion
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        EventType: SetValue
+        TargetObject|contains:
+            - '\Microsoft\Windows\CurrentVersion\AppModelUnlock'
+            - '\Policies\Microsoft\Windows\Appx\'
+        TargetObject|endswith:
+            - '\AllowAllTrustedApps'
+            - '\AllowDevelopmentWithoutDevLicense'
+        Details: 'DWORD (0x00000001)'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high