Suspicious AppX Package Installation Attempt

Detects an appx package installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements and could be suspicious

Sigma rule (View on GitHub)

 1title: Suspicious AppX Package Installation Attempt
 2id: 898d5fc9-fbc3-43de-93ad-38e97237c344
 3status: test
 4description: Detects an appx package installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements and could be suspicious
 5references:
 6    - Internal Research
 7    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
 8    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
 9    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-01-11
12tags:
13    - attack.defense-evasion
14logsource:
15    product: windows
16    service: appxdeployment-server
17detection:
18    selection:
19        EventID: 401
20        ErrorCode: '0x80073cff' # Check ref section to learn more about this error code
21    condition: selection
22falsepositives:
23    - Legitimate AppX packages not signed by MS used part of an enterprise
24level: medium

References

Related rules

to-top