SOLVED

2 factor for allowing unsigned apps to be installed?

Frequent Contributor

Hi everyone,

I'm just looking for your ideas on dealing with unsigned applications.
We can't trust EDR/AV to do everything and yet there are times we want to allow users to install unsigned applications.
I believe the middle ground in some cases is to allow the application to be installed but only if an authenticator method is used.
Although this won't eliminate all malicious activity it would prevent a specific category of attacks from happening.
It would also be so much easier to track malicious activity by flagging that device as high risk and tracking post-behavior for x hours.

**So my question is:** Can anyone recommend a clear method/procedure for allowing unsigned apps to be installed but only with an authenticator app method?

Or can WDAC be configured to allow apps to be installed with an authenticator?

Thanks.

2 Replies
best response confirmed by bobsyouruncle (Frequent Contributor)

 

That's a neat idea, thanks Christian,
I assume that when a user self-authorized installation of an unsigned app that it will be logged somewhere so I'll look into that.

I also recently read that if a kernel level drive is loaded it will do such with a specific local admin account (SID 1-5-18 - local admin) so if that's true then I can also track unauthorized SIDs loading drivers.

https://synzack.github.io/Blinding-EDR-On-Windows/ 

 

Thanks!