Unsigned AppX Installation Attempt Using Add-AppxPackage
Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cmdlet:
CommandLine|contains:
- 'Add-AppPackage '
- 'Add-AppxPackage '
selection_flag:
CommandLine|contains: ' -AllowUnsigned'
condition: all of selection_*Installation of unsigned packages for testing purposes
Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript
Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
Detects similar activity. Both rules may fire on overlapping events.
Windows AppX Deployment Unsigned Package Installation
Detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter via AppXDeployment-Server events
Detects similar activity. Both rules may fire on overlapping events.