Detectionmediumtest

Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript

Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Tue Jan 31975b2262-9a49-439d-92a6-0709cccdf0b2windows

Log Source

WindowsPowerShell Script

ProductWindows← raw: windows

CategoryPowerShell Script← raw: ps_script

Definition

Script Block Logging must be enable

Detection Logic

detection:
    selection_cmdlet:
        ScriptBlockText|contains:
            - 'Add-AppPackage '
            - 'Add-AppxPackage '
    selection_flag:
        ScriptBlockText|contains: ' -AllowUnsigned'
    condition: all of selection_*

False Positives

Installation of unsigned packages for testing purposes

References

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0005 · Defense Evasion

Related Rules

SimilarDetectionmedium

Unsigned AppX Installation Attempt Using Add-AppxPackage

Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages

Detects similar activity. Both rules may fire on overlapping events.

SimilarDetectionmedium

Windows AppX Deployment Unsigned Package Installation

Detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter via AppXDeployment-Server events

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

975b2262-9a49-439d-92a6-0709cccdf0b2

Status

test

Level

medium

Type

Detection

Created

Tue Jan 31

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml

Raw Tags

attack.persistenceattack.defense-evasion

View on GitHub