Deployment Of The AppX Package Was Blocked By The Policy
Detects an appx package deployment that was blocked by the local computer policy
Sigma rule (View on GitHub)
1title: Deployment Of The AppX Package Was Blocked By The Policy
2id: e021bbb5-407f-41f5-9dc9-1864c45a7a51
3status: test
4description: Detects an appx package deployment that was blocked by the local computer policy
5references:
6 - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
7 - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv
8author: frack113
9date: 2023-01-11
10tags:
11 - attack.defense-evasion
12logsource:
13 product: windows
14 service: appxdeployment-server
15detection:
16 selection:
17 EventID:
18 - 441
19 - 442
20 - 453
21 - 454
22 condition: selection
23falsepositives:
24 - Unknown
25level: medium
References
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity