Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript

Dec 1, 2023 · attack.persistence attack.defense_evasion ·

Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages

Sigma rule (View on GitHub)

 1title: Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript
 2id: 975b2262-9a49-439d-92a6-0709cccdf0b2
 3related:
 4    - id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a
 5      type: similar
 6status: test
 7description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
 8references:
 9    - https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package
10    - https://twitter.com/WindowsDocs/status/1620078135080325122
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023/01/31
13tags:
14    - attack.persistence
15    - attack.defense_evasion
16logsource:
17    product: windows
18    category: ps_script
19    definition: Script Block Logging must be enable
20detection:
21    selection_cmdlet:
22        ScriptBlockText|contains:
23            - 'Add-AppPackage '
24            - 'Add-AppxPackage '
25    selection_flag:
26        ScriptBlockText|contains: ' -AllowUnsigned'
27    condition: all of selection_*
28falsepositives:
29    - Installation of unsigned packages for testing purposes
30level: medium

References

Create an unsigned MSIX package - MSIX

This topic describes how to create and install an unsigned MSIX package

Read More
Something went wrong, but don’t fret — let’s give it another shot.

Read More

Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript

Sigma rule (View on GitHub)

References

Create an unsigned MSIX package - MSIX

Related rules