Potential Malicious AppX Package Installation Attempts
Detects potential installation or installation attempts of known malicious appx packages
Sigma rule (View on GitHub)
1title: Potential Malicious AppX Package Installation Attempts
2id: 09d3b48b-be17-47f5-bf4e-94e7e75d09ce
3status: test
4description: Detects potential installation or installation attempts of known malicious appx packages
5references:
6 - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
7 - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
8 - https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023-01-11
11modified: 2023-01-12
12tags:
13 - attack.defense-evasion
14logsource:
15 product: windows
16 service: appxdeployment-server
17detection:
18 selection:
19 EventID:
20 - 400
21 - 401
22 # Add more malicious package names
23 # TODO: Investigate the packages here https://github.com/sophoslabs/IoCs/blob/master/Troj-BazarBackdoor.csv based on this report https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
24 PackageFullName|contains: '3669e262-ec02-4e9d-bcb4-3d008b4afac9'
25 condition: selection
26falsepositives:
27 - Rare occasions where a malicious package uses the exact same name and version as a legtimate application
28level: medium
References
-
Learn how threat actors manipulate Windows to install malicious apps that are trusted by the system, and how to defend against them.
Read More -
-
In this post I’ll work through analyzing an AppX package from Magnitude Exploit Kit that drops Magniber. This adventure comes courtesy of a tweet from @JAMESWT_MHT:
Read More
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity