Threat Huntlowexperimental

Successful MSIX/AppX Package Installation

Detects successful MSIX/AppX package installations on Windows systems by monitoring EventID 854 in the Microsoft-Windows-AppXDeployment-Server/Operational log. While most installations are legitimate, this can help identify unauthorized or suspicious package installations. It is crucial to monitor such events as threat actors may exploit MSIX/AppX packages to deliver and execute malicious payloads.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)Created Mon Nov 03289dfa9e-e378-4a56-a9d4-7ed5ee218029windows

Hunting Hypothesis

Log Source

Windowsappxdeployment-server

ProductWindows← raw: windows

Serviceappxdeployment-server← raw: appxdeployment-server

Detection Logic

detection:
    selection:
        EventID: 854
    condition: selection

False Positives

Legitimate MSIX/AppX package installations

References

Resolving title…

splunk.com

MITRE ATT&CK

Tactics

TA0002 · Execution

Sub-techniques

T1204.002 · Malicious File

Other

detection.threat-hunting

Rule Metadata

Rule ID

289dfa9e-e378-4a56-a9d4-7ed5ee218029

Status

experimental

Level

low

Type

Threat Hunt

Created

Mon Nov 03

Author

Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules-threat-hunting/windows/builtin/appxdeployment_server/win_appxpackaging_server_successful_package_installation.yml

Raw Tags

attack.executionattack.t1204.002detection.threat-hunting

View on GitHub