Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript

Rule Info

Name
Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
Reference
https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package
Date
2023-01-31 00:00:00
Modified
None
Id
975b2262-9a49-439d-92a6-0709cccdf0b2
Tags
attack.persistence attack.defense_evasion DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=975b2262-9a49-439d-92a6-0709cccdf0b2

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #4611 from @nasbench - Promote Older Rules Status From `experimental` To `test`
2023-12-01
ae960f088
Nasreddine Bencherchali
fix: apply suggestions from code review
2023-02-02
c68531e68
Nasreddine Bencherchali
fix: add missing modified field
2023-02-02
d08acc18a
Nasreddine Bencherchali
feat: add add-appxpackage cmdlet rules
2023-01-31
3e24998fe
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022