Detection rules › Sigma
Windows AppX Deployment Unsigned Package Installation
Detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter via AppXDeployment-Server events
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1204.002 User Execution: Malicious File |
| Defense Evasion | T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| AppXDeployment-Server | 603 | Started deployment DeploymentOperation operation on a package with main parameter Path and Options Flags and FlagsHigh. |
Stages and Predicates
Stage 1: selection
Flags: 8388608
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Flags | eq |
|