Techniques
Sample rules
Windows MSIX Package Support Framework AI_STUBS Execution
- source: sigma
- technicques:
- t1204
- t1204.002
- t1218
- t1553
- t1553.005
Description
Detects execution of Advanced Installer MSIX Package Support Framework (PSF) components, specifically AI_STUBS executables with original filename ‘popupwrapper.exe’. This activity may indicate malicious MSIX packages build with Advanced Installer leveraging the Package Support Framework to bypass application control restrictions.
Detection logic
condition: selection
selection:
Image|endswith:
- \AI_STUBS\AiStubX64Elevated.exe
- \AI_STUBS\AiStubX86Elevated.exe
- \AI_STUBS\AiStubX64.exe
- \AI_STUBS\AiStubX86.exe
OriginalFileName: popupwrapper.exe