Suspicious AppX Package Installation Attempt
Detects an appx package installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements and could be suspicious
Sigma rule (View on GitHub)
1title: Suspicious AppX Package Installation Attempt
2id: 898d5fc9-fbc3-43de-93ad-38e97237c344
3status: test
4description: Detects an appx package installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements and could be suspicious
5references:
6 - Internal Research
7 - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
8 - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
9 - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-01-11
12tags:
13 - attack.defense-evasion
14logsource:
15 product: windows
16 service: appxdeployment-server
17detection:
18 selection:
19 EventID: 401
20 ErrorCode: '0x80073cff' # Check ref section to learn more about this error code
21 condition: selection
22falsepositives:
23 - Legitimate AppX packages not signed by MS used part of an enterprise
24level: medium
References
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity