Potentially Suspicious Windows App Activity
Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution
Sigma rule (View on GitHub)
1title: Potentially Suspicious Windows App Activity
2id: f91ed517-a6ba-471d-9910-b3b4a398c0f3
3status: test
4description: Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution
5references:
6 - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
7 - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2023-01-12
10modified: 2025-10-07
11tags:
12 - attack.defense-evasion
13logsource:
14 product: windows
15 category: process_creation
16detection:
17 selection_parent:
18 # GrandParentImage|endswith: '\sihost.exe'
19 ParentImage|contains: 'C:\Program Files\WindowsApps\'
20 selection_susp_img:
21 Image|endswith:
22 # You can add more LOLBINs
23 - '\cmd.exe'
24 - '\cscript.exe'
25 - '\mshta.exe'
26 - '\powershell.exe'
27 - '\powershell_ise.exe'
28 - '\pwsh.exe'
29 - '\regsvr32.exe'
30 - '\rundll32.exe'
31 - '\wscript.exe'
32 selection_susp_cli:
33 # You can add more potentially suspicious keywords
34 CommandLine|contains:
35 - 'cmd /c'
36 - 'Invoke-'
37 - 'Base64'
38 filter_optional_terminal:
39 ParentImage|contains: ':\Program Files\WindowsApps\Microsoft.WindowsTerminal'
40 ParentImage|endswith: '\WindowsTerminal.exe'
41 # Note: to avoid FP add the default shells and profiles that your WT integrates
42 Image|endswith:
43 - '\powershell.exe'
44 - '\cmd.exe'
45 - '\pwsh.exe'
46 filter_optional_sysinternals:
47 ParentImage|startswith: 'C:\Program Files\WindowsApps\Microsoft.SysinternalsSuite'
48 Image|endswith: '\cmd.exe'
49 condition: selection_parent and 1 of selection_susp_* and not 1 of filter_optional_*
50falsepositives:
51 - Legitimate packages that make use of external binaries such as Windows Terminal
52level: medium
References
Related rules
- Amsi.DLL Loaded Via LOLBIN Process
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Delete Defender Scan ShellEx Context Menu Registry Key
- Files With System Process Name In Unsuspected Locations
- Filter Driver Unloaded Via Fltmc.EXE