Detectionmediumtest
Potential Malicious AppX Package Installation Attempts
Detects potential installation or installation attempts of known malicious appx packages
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Wed Jan 11Updated Thu Jan 1209d3b48b-be17-47f5-bf4e-94e7e75d09cewindows
Log Source
Windowsappxdeployment-server
ProductWindows← raw: windows
Serviceappxdeployment-server← raw: appxdeployment-server
Detection Logic
Detection Logic1 selector
detection:
selection:
EventID:
- 400
- 401
# Add more malicious package names
# TODO: Investigate the packages here https://github.com/sophoslabs/IoCs/blob/master/Troj-BazarBackdoor.csv based on this report https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
PackageFullName|contains: '3669e262-ec02-4e9d-bcb4-3d008b4afac9'
condition: selectionFalse Positives
Rare occasions where a malicious package uses the exact same name and version as a legitimate application.
MITRE ATT&CK
Tactics
Rule Metadata
Rule ID
09d3b48b-be17-47f5-bf4e-94e7e75d09ce
Status
test
Level
medium
Type
Detection
Created
Wed Jan 11
Modified
Thu Jan 12
Path
rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml
Raw Tags
attack.defense-evasion