Potentially Suspicious Windows App Activity

calendar Oct 9, 2025 · attack.defense-evasion  ·
Share on: linkedin copy

Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution

Sigma rule (View on GitHub)

 1title: Potentially Suspicious Windows App Activity
 2id: f91ed517-a6ba-471d-9910-b3b4a398c0f3
 3status: test
 4description: Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution
 5references:
 6    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
 7    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023-01-12
10modified: 2025-10-07
11tags:
12    - attack.defense-evasion
13logsource:
14    product: windows
15    category: process_creation
16detection:
17    selection_parent:
18        # GrandParentImage|endswith: '\sihost.exe'
19        ParentImage|contains: 'C:\Program Files\WindowsApps\'
20    selection_susp_img:
21        Image|endswith:
22            # You can add more LOLBINs
23            - '\cmd.exe'
24            - '\cscript.exe'
25            - '\mshta.exe'
26            - '\powershell.exe'
27            - '\powershell_ise.exe'
28            - '\pwsh.exe'
29            - '\regsvr32.exe'
30            - '\rundll32.exe'
31            - '\wscript.exe'
32    selection_susp_cli:
33        # You can add more potentially suspicious keywords
34        CommandLine|contains:
35            - 'cmd /c'
36            - 'Invoke-'
37            - 'Base64'
38    filter_optional_terminal:
39        ParentImage|contains: ':\Program Files\WindowsApps\Microsoft.WindowsTerminal'
40        ParentImage|endswith: '\WindowsTerminal.exe'
41        # Note: to avoid FP add the default shells and profiles that your WT integrates
42        Image|endswith:
43            - '\powershell.exe'
44            - '\cmd.exe'
45            - '\pwsh.exe'
46    filter_optional_sysinternals:
47        ParentImage|startswith: 'C:\Program Files\WindowsApps\Microsoft.SysinternalsSuite'
48        Image|endswith: '\cmd.exe'
49    condition: selection_parent and 1 of selection_susp_* and not 1 of filter_optional_*
50falsepositives:
51    - Legitimate packages that make use of external binaries such as Windows Terminal
52level: medium

References

Related rules

to-top