Potentially Suspicious Windows App Activity

calendar Oct 18, 2023 · attack.defense_evasion  ·
Share on: linkedin copy

Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution

Sigma rule (View on GitHub)

 1title: Potentially Suspicious Windows App Activity
 2id: f91ed517-a6ba-471d-9910-b3b4a398c0f3
 3status: experimental
 4description: Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution
 5references:
 6    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
 7    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023/01/12
10modified: 2023/08/31
11tags:
12    - attack.defense_evasion
13logsource:
14    product: windows
15    category: process_creation
16detection:
17    selection_parent:
18        # GrandParentImage|endswith: '\sihost.exe'
19        ParentImage|contains: 'C:\Program Files\WindowsApps\'
20    selection_susp_img:
21        Image|endswith:
22            # You can add more LOLBINs
23            - '\cmd.exe'
24            - '\cscript.exe'
25            - '\mshta.exe'
26            - '\powershell.exe'
27            - '\pwsh.exe'
28            - '\regsvr32.exe'
29            - '\rundll32.exe'
30            - '\wscript.exe'
31    selection_susp_cli:
32        # You can add more potentially suspicious keywords
33        CommandLine|contains:
34            - 'cmd /c'
35            - 'Invoke-'
36            - 'Base64'
37    filter_optional_terminal:
38        ParentImage|contains: ':\Program Files\WindowsApps\Microsoft.WindowsTerminal'
39        ParentImage|endswith: '\WindowsTerminal.exe'
40        # Note: to avoid FP add the default shells and profiles that your WT integrates
41        Image|endswith:
42            - '\powershell.exe'
43            - '\cmd.exe'
44            - '\pwsh.exe'
45    condition: selection_parent and 1 of selection_susp_* and not 1 of filter_optional_*
46falsepositives:
47    - Legitimate packages that make use of external binaries such as Windows Terminal
48level: medium

References

Related rules

to-top