Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript
Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
Sigma rule (View on GitHub)
1title: Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript
2id: 975b2262-9a49-439d-92a6-0709cccdf0b2
3related:
4 - id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a
5 type: similar
6 - id: 9a025188-6f2d-42f8-bb2f-d3a83d24a5af
7 type: similar
8status: test
9description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
10references:
11 - https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package
12 - https://twitter.com/WindowsDocs/status/1620078135080325122
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2023-01-31
15tags:
16 - attack.persistence
17 - attack.defense-evasion
18logsource:
19 product: windows
20 category: ps_script
21 definition: Script Block Logging must be enable
22detection:
23 selection_cmdlet:
24 ScriptBlockText|contains:
25 - 'Add-AppPackage '
26 - 'Add-AppxPackage '
27 selection_flag:
28 ScriptBlockText|contains: ' -AllowUnsigned'
29 condition: all of selection_*
30falsepositives:
31 - Installation of unsigned packages for testing purposes
32level: medium
References
-
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Unsigned AppX Installation Attempt Using Add-AppxPackage
- Devcon Execution Disabling VMware VMCI Device
- Creation Of Non-Existent System DLL
- Potential DLL Sideloading Of Non-Existent DLLs From System Folders
- Registry Modification for OCI DLL Redirection