Detectionmediumexperimental
Windows AppX Deployment Full Trust Package Installation
Detects the installation of MSIX/AppX packages with full trust privileges which run with elevated privileges outside normal AppX container restrictions
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)Created Mon Nov 03e54279c7-4910-4e2c-902c-c56a25b549f6windows
Log Source
Windowsappxdeployment-server
ProductWindows← raw: windows
Serviceappxdeployment-server← raw: appxdeployment-server
Detection Logic
Detection Logic6 selectors
detection:
selection:
EventID: 400
HasFullTrust: true
filter_main_legitpath:
PackageSourceUri|startswith:
- 'file:///C:/Program%20Files/'
- 'file:///C:/Program%20Files%20(x86)/'
filter_main_microsoft:
- PackageSourceUri|startswith: 'https://go.microsoft.com/fwlink/?linkid'
- PackageSourceUri|contains:
- '.cdn.microsoft.com'
- '.cdn.office.net/'
filter_main_callerprocess:
CallingProcess|startswith:
- 'sysprep.exe'
- 'svchost.exe,AppReadiness'
filter_optional_x_update:
PackageSourceUri|startswith: 'x-windowsupdate://'
filter_optional_microsoftclient:
PackageFullName|startswith: 'MicrosoftWindows.Client.'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Some legitimate applications installation which have been missed from filtering can generate fps, thus baselining and tuning is recommended before deploying to production
References
MITRE ATT&CK
Rule Metadata
Rule ID
e54279c7-4910-4e2c-902c-c56a25b549f6
Status
experimental
Level
medium
Type
Detection
Created
Mon Nov 03
Path
rules/windows/builtin/appxdeployment_server/win_appxpackaging_server_full_trust_package_installation.yml
Raw Tags
attack.defense-evasionattack.executionattack.t1204.002attack.t1553.005