LoFP / legitimate installation of unsigned packages for legitimate purposes such as development or testing

Techniques

• t1204
• t1204.002
• t1553
• t1553.005

Sample rules

Windows AppX Deployment Unsigned Package Installation

• source: sigma
• technicques:
  • t1204
  • t1204.002
  • t1553
  • t1553.005

Description

Detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter via AppXDeployment-Server events

Detection logic

condition: selection
selection:
  EventID: 603
  Flags: '8388608'