cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

2 factor for allowing unsigned apps to be installed?

SocInABox
Iron Contributor

‎Nov 05 2022 07:51 AM

‎Nov 05 2022 07:51 AM

2 factor for allowing unsigned apps to be installed?

Hi everyone,

I'm just looking for your ideas on dealing with unsigned applications.
We can't trust EDR/AV to do everything and yet there are times we want to allow users to install unsigned applications.
I believe the middle ground in some cases is to allow the application to be installed but only if an authenticator method is used.
Although this won't eliminate all malicious activity it would prevent a specific category of attacks from happening.
It would also be so much easier to track malicious activity by flagging that device as high risk and tracking post-behavior for x hours.

**So my question is:** Can anyone recommend a clear method/procedure for allowing unsigned apps to be installed but only with an authenticator app method?

Or can WDAC be configured to allow apps to be installed with an authenticator?

Thanks.

1,512 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by SocInABox (Iron Contributor)
ChristianJBergstrom

‎Nov 06 2022 01:36 AM

‎Nov 06 2022 01:36 AM

Solution

Re: 2 factor for allowing unsigned apps to be installed?

Perhaps use the consent settings instead?

https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade/~/UserSettings
0 Likes
Reply
SocInABox

‎Nov 12 2022 10:16 AM

‎Nov 12 2022 10:16 AM

Re: 2 factor for allowing unsigned apps to be installed?

 

That's a neat idea, thanks Christian,
I assume that when a user self-authorized installation of an unsigned app that it will be logged somewhere so I'll look into that.

I also recently read that if a kernel level drive is loaded it will do such with a specific local admin account (SID 1-5-18 - local admin) so if that's true then I can also track unauthorized SIDs loading drivers.

https://synzack.github.io/Blinding-EDR-On-Windows/ 

 

Thanks!

 

 

 

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by SocInABox (Iron Contributor)
ChristianJBergstrom

‎Nov 06 2022 01:36 AM

‎Nov 06 2022 01:36 AM

Solution

Re: 2 factor for allowing unsigned apps to be installed?

Perhaps use the consent settings instead?

https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/ConsentPoliciesMenuBlade/~/UserSettings

View solution in original post

0 Likes
Reply