t1553.005 | LoFP

t1553.005

Title	Tags
legitimate applications may be deployed as full trust msix packages, especially line-of-business applications that require access to system resources. microsoft store applications, development tools, and enterprise applications may legitimately use full trust packages. verify if the package is from a trusted source and signed by a trusted publisher before taking action. review the package source uri and calling process to determine if the installation is expected in your environment.	t1204.002 t1553.005 endpoint splunk
legitimate applications packaged with advanced installer using package support framework	t1204 t1204.002 t1218 t1553 t1553.005 windows sigma
legitimate applications packaged with advanced installer using the package support framework may trigger this detection. verify if the msix package is from a trusted source and signed by a trusted publisher before taking action. organizations that use advanced installer for legitimate software packaging may see false positives.	t1204.002 t1218 t1553.005 endpoint splunk
legitimate developer-signed applications that are not from the microsoft store will trigger this detection. organizations should maintain a baseline of expected developer-signed applications in their environment and tune the detection accordingly. common legitimate developer-signed applications include in-house developed applications and some third-party applications that are not distributed through the microsoft store.	t1204.002 t1553.005 endpoint splunk
legitimate installation of unsigned packages for legitimate purposes such as development or testing	t1204 t1204.002 t1553 t1553.005 windows sigma
legitimate powershell scripts	t1003 t1003.003 t1003.006 t1033 t1036 t1036.003 t1057 t1070 t1070.003 t1083 t1201 t1546 t1546.015 t1553 t1553.005 t1562 t1562.001 t1564 t1564.006 t1615 windows sigma
legitimate software development and testing activities may trigger this detection. internal application development teams testing msix packages before signing or system administrators installing custom unsigned applications for business purposes may use the -allowunsigned parameter. note that the -allowunsigned flag is only available on windows 11 and later versions. verify if the package installation is expected in your environment and if the calling process and user are authorized to install unsigned packages.	t1204.002 t1553.005 endpoint splunk
no false positives have been identified at this time.	t1003 t1003.001 t1003.003 t1003.005 t1005 t1012 t1016 t1021 t1021.001 t1027 T1027.011 t1036 t1036.003 t1036.004 t1037.001 t1041 t1046 t1048 t1048.003 t1053 t1053.005 T1053.007 t1055 t1055.001 T1055.002 t1059 t1059.001 t1059.002 t1059.003 t1059.004 t1059.005 t1059.007 t1068 t1069.001 t1069.002 t1070 t1070.004 T1070.008 t1071 t1071.004 t1074 t1078 t1078.004 t1082 t1087 t1087.001 t1087.002 t1087.004 t1090.001 t1090.003 t1098 t1098.003 t1105 t1110 T1110.003 t1112 t1113 t1114.001 t1124 t1127 t1129 t1134 t1134.004 t1134.005 t1185 t1190 t1195 t1200 t1202 t1203 t1204 t1204.002 T1204.003 t1207 t1210 t1212 t1218.005 t1218.007 t1218.010 t1218.011 t1220 t1222 t1222.001 t1482 t1484 t1484.001 t1485 t1486 t1489 t1490 t1497 T1497.003 t1498 t1505 t1526 t1529 t1531 t1543 t1546 t1546.001 t1546.002 t1546.011 t1547.003 t1547.005 T1547.012 t1548 t1548.002 t1552.002 t1552.004 t1552.006 t1552.007 t1553.005 t1554 t1555.003 t1555.005 t1556 T1557.002 t1558 T1558.004 t1560 t1560.001 t1562 t1562.001 t1562.004 t1562.006 t1562.008 t1564.001 t1564.004 t1566 t1566.001 t1566.002 t1574.001 T1574.009 T1590.005 t1649 amazon elastic container registry azure tenant circleci aws account o365 tenant github aws instance kubernetes infrastructure network identity windows endpoint splunk
some legitimate applications installation which have been missed from filtering can generate fps, thus baselining and tuning is recommended before deploying to production	t1204 t1204.002 t1553 t1553.005 windows sigma