Deployment Of The AppX Package Was Blocked By The Policy

Detects an appx package deployment that was blocked by the local computer policy

Sigma rule (View on GitHub)

 1title: Deployment Of The AppX Package Was Blocked By The Policy
 2id: e021bbb5-407f-41f5-9dc9-1864c45a7a51
 3status: test
 4description: Detects an appx package deployment that was blocked by the local computer policy
 5references:
 6    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
 7    - https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv
 8author: frack113
 9date: 2023-01-11
10tags:
11    - attack.defense-evasion
12logsource:
13    product: windows
14    service: appxdeployment-server
15detection:
16    selection:
17        EventID:
18            - 441
19            - 442
20            - 453
21            - 454
22    condition: selection
23falsepositives:
24    - Unknown
25level: medium

References

Related rules

to-top