Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Potentially Suspicious Windows App Activity

Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Thu Jan 12Updated Tue Oct 07f91ed517-a6ba-471d-9910-b3b4a398c0f3windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic5 selectors
detection:
    selection_parent:
        # GrandParentImage|endswith: '\sihost.exe'
        ParentImage|contains: 'C:\Program Files\WindowsApps\'
    selection_susp_img:
        Image|endswith:
            # You can add more LOLBINs
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\powershell_ise.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\wscript.exe'
    selection_susp_cli:
        # You can add more potentially suspicious keywords
        CommandLine|contains:
            - 'cmd /c'
            - 'Invoke-'
            - 'Base64'
    filter_optional_terminal:
        ParentImage|contains: ':\Program Files\WindowsApps\Microsoft.WindowsTerminal'
        ParentImage|endswith: '\WindowsTerminal.exe'
        # Note: to avoid FP add the default shells and profiles that your WT integrates
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\pwsh.exe'
    filter_optional_sysinternals:
        ParentImage|startswith: 'C:\Program Files\WindowsApps\Microsoft.SysinternalsSuite'
        Image|endswith: '\cmd.exe'
    condition: selection_parent and 1 of selection_susp_* and not 1 of filter_optional_*
False Positives

Legitimate packages that make use of external binaries such as Windows Terminal

References
1
Resolving title…
news.sophos.com
2
Resolving title…
sentinelone.com
MITRE ATT&CK
Rule Metadata
Rule ID
f91ed517-a6ba-471d-9910-b3b4a398c0f3
Status
test
Level
medium
Type
Detection
Created
Thu Jan 12
Modified
Tue Oct 07
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml
Raw Tags
attack.defense-evasion
View on GitHub