Suspicious AppX Package Installation Attempt
Detects an appx package installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements and could be suspicious
Sigma rule (View on GitHub)
1title: Suspicious AppX Package Installation Attempt
2id: 898d5fc9-fbc3-43de-93ad-38e97237c344
3status: test
4description: Detects an appx package installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements and could be suspicious
5references:
6 - Internal Research
7 - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
8 - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
9 - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023/01/11
12tags:
13 - attack.defense_evasion
14logsource:
15 product: windows
16 service: appxdeployment-server
17detection:
18 selection:
19 EventID: 401
20 ErrorCode: '0x80073cff' # Check ref section to learn more about this error code
21 condition: selection
22falsepositives:
23 - Legitimate AppX packages not signed by MS used part of an enterprise
24level: medium
References
-
Learn how threat actors manipulate Windows to install malicious apps that are trusted by the system, and how to defend against them.
Read More -
Use these suggestions to troubleshoot problems you experience when packaging, deploying, or querying an app package.
Read More -
Related rules
- Atbroker Registry Change
- Cisco BGP Authentication Failures
- Cisco LDP Authentication Failures
- Deployment AppX Package Was Blocked By AppLocker
- Deployment Of The AppX Package Was Blocked By The Policy