Techniques
Sample rules
Unsigned AppX Installation Attempt Using Add-AppxPackage
- source: sigma
- technicques:
Description
Detects usage of the “Add-AppxPackage” or it’s alias “Add-AppPackage” to install unsigned AppX packages
Detection logic
condition: all of selection_*
selection_cmdlet:
CommandLine|contains:
- 'Add-AppPackage '
- 'Add-AppxPackage '
selection_flag:
CommandLine|contains: ' -AllowUnsigned'
selection_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript
- source: sigma
- technicques:
Description
Detects usage of the “Add-AppxPackage” or it’s alias “Add-AppPackage” to install unsigned AppX packages
Detection logic
condition: all of selection_*
selection_cmdlet:
ScriptBlockText|contains:
- 'Add-AppPackage '
- 'Add-AppxPackage '
selection_flag:
ScriptBlockText|contains: ' -AllowUnsigned'