← Back to Explore
sigmamediumHunting
Suspicious Digital Signature Of AppX Package
Detects execution of AppX packages with known suspicious or malicious signature
Detection Query
selection:
EventID: 157
subjectName: CN=Foresee Consulting Inc., O=Foresee Consulting Inc., L=North
York, S=Ontario, C=CA, SERIALNUMBER=1004913-1,
OID.1.3.6.1.4.1.311.60.2.1.3=CA, OID.2.5.4.15=Private Organization
condition: selection
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2023-01-16
Data Sources
windowsappxpackaging-om
Platforms
windows
References
Tags
attack.defense-evasionattack.execution
Raw Content
title: Suspicious Digital Signature Of AppX Package
id: b5aa7d60-c17e-4538-97de-09029d6cd76b
status: test
description: Detects execution of AppX packages with known suspicious or malicious signature
references:
- Internal Research
- https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-16
tags:
- attack.defense-evasion
- attack.execution
logsource:
product: windows
service: appxpackaging-om
detection:
selection:
EventID: 157
# Add more known suspicious/malicious certificates used in different attacks
subjectName: 'CN=Foresee Consulting Inc., O=Foresee Consulting Inc., L=North York, S=Ontario, C=CA, SERIALNUMBER=1004913-1, OID.1.3.6.1.4.1.311.60.2.1.3=CA, OID.2.5.4.15=Private Organization'
condition: selection
falsepositives:
- Unknown
level: medium