Detectionmediumtest
AppX Package Deployment Failed Due to Signing Requirements
Detects an appx package deployment / installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Wed Jan 11Updated Wed Dec 03898d5fc9-fbc3-43de-93ad-38e97237c344windows
Log Source
Windowsappxdeployment-server
ProductWindows← raw: windows
Serviceappxdeployment-server← raw: appxdeployment-server
Detection Logic
Detection Logic1 selector
detection:
selection:
EventID: 401
ErrorCode: '0x80073cff' # Check ref section to learn more about this error code
condition: selectionFalse Positives
Legitimate AppX packages not signed by MS used part of an enterprise.
MITRE ATT&CK
Tactics
Rule Metadata
Rule ID
898d5fc9-fbc3-43de-93ad-38e97237c344
Status
test
Level
medium
Type
Detection
Created
Wed Jan 11
Modified
Wed Dec 03
Path
rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_appx_package_deployment_failed_signing_requirements.yml
Raw Tags
attack.defense-evasion