Suspicious AppX Package Installation Attempt
Detects an appx package installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements and could be suspicious
Sigma rule (View on GitHub)
1title: Suspicious AppX Package Installation Attempt
2id: 898d5fc9-fbc3-43de-93ad-38e97237c344
3status: test
4description: Detects an appx package installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements and could be suspicious
5references:
6 - Internal Research
7 - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
8 - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
9 - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023/01/11
12tags:
13 - attack.defense_evasion
14logsource:
15 product: windows
16 service: appxdeployment-server
17detection:
18 selection:
19 EventID: 401
20 ErrorCode: '0x80073cff' # Check ref section to learn more about this error code
21 condition: selection
22falsepositives:
23 - Legitimate AppX packages not signed by MS used part of an enterprise
24level: medium
References
Related rules
- Atbroker Registry Change
- Cisco BGP Authentication Failures
- Cisco LDP Authentication Failures
- Deployment AppX Package Was Blocked By AppLocker
- Deployment Of The AppX Package Was Blocked By The Policy