Detectionmediumexperimental

Windows AppX Deployment Unsigned Package Installation

Detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter via AppXDeployment-Server events

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)Created Mon Nov 039a025188-6f2d-42f8-bb2f-d3a83d24a5afwindows

Log Source

Windowsappxdeployment-server

ProductWindows← raw: windows

Serviceappxdeployment-server← raw: appxdeployment-server

Detection Logic

detection:
    selection:
        EventID: 603
        Flags: '8388608'
    condition: selection

False Positives

Legitimate installation of unsigned packages for legitimate purposes such as development or testing

References

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0002 · Execution

Sub-techniques

T1204.002 · Malicious File T1553.005 · Mark-of-the-Web Bypass

Related Rules

SimilarDetectionmedium

Unsigned AppX Installation Attempt Using Add-AppxPackage

Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages

Detects similar activity. Both rules may fire on overlapping events.

SimilarDetectionmedium

Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript

Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

9a025188-6f2d-42f8-bb2f-d3a83d24a5af

Status

experimental

Level

medium

Type

Detection

Created

Mon Nov 03

Author

Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules/windows/builtin/appxdeployment_server/win_appxpackaging_server_unsigned_package_installation.yml

Raw Tags

attack.defense-evasionattack.executionattack.t1204.002attack.t1553.005

View on GitHub