Non-Microsoft App Package Installation Process
Detects app package installation processes where the app is not a Microsoft app based on the publisher ID. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Non-Microsoft App Package Installation Process
2id: ca15c3dc-243f-432d-868b-c7694027be21
3status: experimental
4description: |
5 Detects app package installation processes where the app is not a Microsoft app
6 based on the publisher ID. Part of the RedCanary 2024 Threat Detection Report.
7references:
8 - https://redcanary.com/threat-detection-report/techniques/installer-packages/
9author: RedCanary, Sigma formatting by Micah Babinski
10date: 2024/03/21
11tags:
12 - attack.persistence
13 - attack.privilege_escalation
14 - attack.t1546
15 - attack.t1546.016
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 Image|contains:
22 - 'C:\Program Files\WindowsApps'
23 - 'C:\Program Files (x86)\WindowsApps'
24 filter:
25 Image|contains:
26 - '8wekyb3d8bbwe'
27 - 'cw5n1h2txyewy'
28 condition: selection and not filter
29falsepositives:
30 - Unknown
31level: low```
References
-
Adversaries are packaging their fake installers with Microsoft’s latest installer format, MSIX, to trick users into downloading malware.
Read More
Related rules
- Package Support Framework (PSF) Advanced Installer Processes
- AppInit DLL Installation
- Non-depmod Process Modifying modules.dep
- PowerShell Startup Folder Persistence
- Shells Modifying Files in Known Linux Kernel Modules Directories