← Back to Explore
sigmahighHunting
Potential Signing Bypass Via Windows Developer Features
Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
Detection Query
selection_img:
- Image|endswith: \SystemSettingsAdminFlows.exe
- OriginalFileName: SystemSettingsAdminFlows.EXE
selection_flag:
CommandLine|contains: TurnOnDeveloperFeatures
selection_options:
CommandLine|contains:
- DeveloperUnlock
- EnableSideloading
condition: all of selection_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2023-01-11
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasion
Raw Content
title: Potential Signing Bypass Via Windows Developer Features
id: a383dec4-deec-4e6e-913b-ed9249670848
related:
- id: b110ebaf-697f-4da1-afd5-b536fa27a2c1
type: similar
status: test
description: Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
references:
- Internal Research
- https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
tags:
- attack.defense-evasion
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\SystemSettingsAdminFlows.exe'
- OriginalFileName: 'SystemSettingsAdminFlows.EXE'
selection_flag:
CommandLine|contains: 'TurnOnDeveloperFeatures'
selection_options:
CommandLine|contains:
- 'DeveloperUnlock'
- 'EnableSideloading'
condition: all of selection_*
falsepositives:
- Unknown
level: high