LoFP / legitimate internal requirements.

Techniques

t1112

Sample rules

ClickOnce Trust Prompt Tampering

source: sigma
technicques:
- t1112

Description

Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.

Detection logic

condition: selection
selection:
  Details: Enabled
  TargetObject|contains: \SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel\
  TargetObject|endswith:
  - \Internet
  - \LocalIntranet
  - \MyComputer
  - \TrustedSites
  - \UntrustedSites