administrators or developers might enable this for testing purposes or to install custom private packages

windows
sigma

Techniques

Sample rules

Enable Local Manifest Installation With Winget

source: sigma
technicques:

Description

Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.

Detection logic

condition: selection
selection:
  Details: DWORD (0x00000001)
  TargetObject|endswith: \AppInstaller\EnableLocalManifestFiles