Event ID 157 — The app package signature was validated for core content of the app package published by subjectName.

Provider: Microsoft-Windows-AppxPackagingOM
Channel: Operational
Level: Informational
Task: DigitalSignature
Opcode: Verifying

Description

The app package signature was validated for core content of the app package published by subjectName. Payload won't be validated until the files are read.

Message #

The app package signature was validated for core content of the app package published by %1. Payload won't be validated until the files are read.

Fields #

Name	Description
`subjectName` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-AppxPackagingOM",
    "guid": "BA723D81-0D0C-4F1E-80C8-54740F508DDF",
    "event_source_name": "",
    "event_id": 157,
    "version": 0,
    "level": 4,
    "task": 7,
    "opcode": 12,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T01:42:48.381218+00:00",
    "event_record_id": 1772,
    "correlation": {
      "ActivityID": "E4DB489E-1037-0001-CE30-F2E43710DA01"
    },
    "execution": {
      "process_id": 17796,
      "thread_id": 7604
    },
    "channel": "Microsoft-Windows-AppxPackaging/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
    }
  },
  "event_data": {
    "subjectName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Suspicious Digital Signature Of AppX Package source medium: Detects execution of AppX packages with known suspicious or malicious signature

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline