Unsigned AppX Installation Attempt Using Add-AppxPackage

Dec 1, 2023 · attack.persistence attack.defense_evasion ·

Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages

Sigma rule (View on GitHub)

 1title: Unsigned AppX Installation Attempt Using Add-AppxPackage
 2id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a
 3related:
 4    - id: 975b2262-9a49-439d-92a6-0709cccdf0b2
 5      type: similar
 6status: test
 7description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
 8references:
 9    - https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package
10    - https://twitter.com/WindowsDocs/status/1620078135080325122
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023/01/31
13tags:
14    - attack.persistence
15    - attack.defense_evasion
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        - Image|endswith:
22              - '\powershell.exe'
23              - '\pwsh.exe'
24        - OriginalFileName:
25              - 'PowerShell.EXE'
26              - 'pwsh.dll'
27    selection_cmdlet:
28        CommandLine|contains:
29            - 'Add-AppPackage '
30            - 'Add-AppxPackage '
31    selection_flag:
32        CommandLine|contains: ' -AllowUnsigned'
33    condition: all of selection_*
34falsepositives:
35    - Installation of unsigned packages for testing purposes
36level: medium

References

Create an unsigned MSIX package - MSIX

This topic describes how to create and install an unsigned MSIX package

Read More
Something went wrong, but don’t fret — let’s give it another shot.

Read More

Unsigned AppX Installation Attempt Using Add-AppxPackage

Sigma rule (View on GitHub)

References

Create an unsigned MSIX package - MSIX

Related rules