Package Support Framework (PSF) Advanced Installer Processes
Detects app package installation processes where legitimate software is included in an MSIX package, but a malicious PowerShell script may execute beforehand by employing the Package Support Framework (PSF). In these cases, the MSIX package includes the malicious script, which is executed as specified in an included config.json file. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Package Support Framework (PSF) Advanced Installer Processes
2id: 0c5dcf6c-9b6a-4411-a410-9b9b2caaef75
3status: experimental
4description: |
5 Detects app package installation processes where legitimate software is included
6 in an MSIX package, but a malicious PowerShell script may execute beforehand by
7 employing the Package Support Framework (PSF). In these cases, the MSIX package
8 includes the malicious script, which is executed as specified in an included
9 config.json file. Part of the RedCanary 2024 Threat Detection Report.
10references:
11 - https://redcanary.com/threat-detection-report/techniques/installer-packages/
12author: RedCanary, Sigma formatting by Micah Babinski
13date: 2024/03/21
14tags:
15 - attack.persistence
16 - attack.privilege_escalation
17 - attack.t1546
18 - attack.t1546.016
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection:
24 Image|endswith:
25 - '\AI_STUBS\AiStubX64Elevated.exe'
26 - '\AI_STUBS\AiStubX86Elevated.exe'
27 - '\AI_STUBS\AiStubX64.exe'
28 - '\AI_STUBS\AiStubX86.exe'
29 condition: selection
30falsepositives:
31 - Unknown
32level: low```
References
-
Adversaries are packaging their fake installers with Microsoft’s latest installer format, MSIX, to trick users into downloading malware.
Read More
Related rules
- Non-Microsoft App Package Installation Process
- AppInit DLL Installation
- SOURGUM Actor Behaviours
- Non-depmod Process Modifying modules.dep
- PowerShell Startup Folder Persistence