LoFP / the event doesn't contain information about the type of change. false positives are expected with legitimate changes

Techniques

Sample rules

Winget Admin Settings Modification

• source: sigma
• technicques:

Description

Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks

Detection logic

condition: selection
selection:
  Image|endswith: \winget.exe
  TargetObject|endswith: \LocalState\admin_settings
  TargetObject|startswith: \REGISTRY\A\