Windows MSIX Package Support Framework AI_STUBS Execution

Apr 28, 2026 · attack.execution attack.stealth attack.defense-impairment attack.t1218 attack.t1553.005 attack.t1204.002 ·

Share on:

Detects execution of Advanced Installer MSIX Package Support Framework (PSF) components, specifically AI_STUBS executables with original filename 'popupwrapper.exe'. This activity may indicate malicious MSIX packages build with Advanced Installer leveraging the Package Support Framework to bypass application control restrictions.

Sigma rule (View on GitHub)

 1title: Windows MSIX Package Support Framework AI_STUBS Execution
 2id: af5732ed-764e-489d-826d-0447c8b36242
 3status: experimental
 4description: |
 5    Detects execution of Advanced Installer MSIX Package Support Framework (PSF) components, specifically AI_STUBS executables with original filename 'popupwrapper.exe'.
 6    This activity may indicate malicious MSIX packages build with Advanced Installer leveraging the Package Support Framework to bypass application control restrictions.    
 7references:
 8    - https://redcanary.com/blog/threat-intelligence/msix-installers/
 9    - https://redcanary.com/threat-detection-report/techniques/installer-packages/
10    - https://learn.microsoft.com/en-us/windows/msix/package/package-support-framework
11    - https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html
12author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)
13date: 2025-11-03
14tags:
15    - attack.execution
16    - attack.stealth
17    - attack.defense-impairment
18    - attack.t1218
19    - attack.t1553.005
20    - attack.t1204.002
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection:
26        Image|endswith:
27            - '\AI_STUBS\AiStubX64Elevated.exe'
28            - '\AI_STUBS\AiStubX86Elevated.exe'
29            - '\AI_STUBS\AiStubX64.exe'
30            - '\AI_STUBS\AiStubX86.exe'
31        OriginalFileName: 'popupwrapper.exe'
32    condition: selection
33falsepositives:
34    - Legitimate applications packaged with Advanced Installer using Package Support Framework
35level: low

Windows MSIX Package Support Framework AI_STUBS Execution

Sigma rule (View on GitHub)

References

https://redcanary.com/blog/threat-intelligence/msix-installers/

https://redcanary.com/threat-detection-report/techniques/installer-packages/

https://learn.microsoft.com/en-us/windows/msix/package/package-support-framework

https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html

Related rules