Unsigned AppX Installation Attempt Using Add-AppxPackage
Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
Sigma rule (View on GitHub)
1title: Unsigned AppX Installation Attempt Using Add-AppxPackage
2id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a
3related:
4 - id: 975b2262-9a49-439d-92a6-0709cccdf0b2
5 type: similar
6 - id: 9a025188-6f2d-42f8-bb2f-d3a83d24a5af
7 type: similar
8status: test
9description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
10references:
11 - https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package
12 - https://twitter.com/WindowsDocs/status/1620078135080325122
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2023-01-31
15tags:
16 - attack.persistence
17 - attack.defense-evasion
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith:
24 - '\powershell.exe'
25 - '\pwsh.exe'
26 - OriginalFileName:
27 - 'PowerShell.EXE'
28 - 'pwsh.dll'
29 selection_cmdlet:
30 CommandLine|contains:
31 - 'Add-AppPackage '
32 - 'Add-AppxPackage '
33 selection_flag:
34 CommandLine|contains: ' -AllowUnsigned'
35 condition: all of selection_*
36falsepositives:
37 - Installation of unsigned packages for testing purposes
38level: medium
References
-
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript
- Devcon Execution Disabling VMware VMCI Device
- Creation Of Non-Existent System DLL
- Potential DLL Sideloading Of Non-Existent DLLs From System Folders
- Registry Modification for OCI DLL Redirection