Suspicious Digital Signature Of AppX Package

Dec 1, 2023 · attack.defense_evasion attack.execution ·

Detects execution of AppX packages with known suspicious or malicious signature

Sigma rule (View on GitHub)

 1title: Suspicious Digital Signature Of AppX Package
 2id: b5aa7d60-c17e-4538-97de-09029d6cd76b
 3status: test
 4description: Detects execution of AppX packages with known suspicious or malicious signature
 5references:
 6    - Internal Research
 7    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023/01/16
10tags:
11    - attack.defense_evasion
12    - attack.execution
13logsource:
14    product: windows
15    service: appxpackaging-om
16detection:
17    selection:
18        EventID: 157
19        # Add more known suspicious/malicious certificates used in different attacks
20        subjectName: 'CN=Foresee Consulting Inc., O=Foresee Consulting Inc., L=North York, S=Ontario, C=CA, SERIALNUMBER=1004913-1, OID.1.3.6.1.4.1.311.60.2.1.3=CA, OID.2.5.4.15=Private Organization'
21    condition: selection
22falsepositives:
23    - Unknown
24level: medium

References

Internal Research

Read More
Inside Malicious Windows Apps for Malware Deployment - SentinelOne

Learn how threat actors manipulate Windows to install malicious apps that are trusted by the system, and how to defend against them.

Read More

Suspicious Digital Signature Of AppX Package

Sigma rule (View on GitHub)

References

Internal Research

Inside Malicious Windows Apps for Malware Deployment - SentinelOne

Related rules