Unsigned AppX Installation Attempt Using Add-AppxPackage

Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages

Sigma rule (View on GitHub)

 1title: Unsigned AppX Installation Attempt Using Add-AppxPackage
 2id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a
 3related:
 4    - id: 975b2262-9a49-439d-92a6-0709cccdf0b2
 5      type: similar
 6status: test
 7description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
 8references:
 9    - https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package
10    - https://twitter.com/WindowsDocs/status/1620078135080325122
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023-01-31
13tags:
14    - attack.persistence
15    - attack.defense-evasion
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - Image|endswith:
22              - '\powershell.exe'
23              - '\pwsh.exe'
24        - OriginalFileName:
25              - 'PowerShell.EXE'
26              - 'pwsh.dll'
27    selection_cmdlet:
28        CommandLine|contains:
29            - 'Add-AppPackage '
30            - 'Add-AppxPackage '
31    selection_flag:
32        CommandLine|contains: ' -AllowUnsigned'
33    condition: all of selection_*
34falsepositives:
35    - Installation of unsigned packages for testing purposes
36level: medium

References

Related rules

to-top