LoFP / legitimate msix/appx package installations will trigger this detection. this is expected behavior and not necessarily indicative of malicious activity. this analytic is designed to provide visibility into package installations and should be used as part of a broader detection strategy. consider correlating these events with other suspicious indicators such as unsigned packages or packages from unusual sources.

Techniques

• T1204.002

Sample rules

Windows AppX Deployment Package Installation Success

• source: splunk
• technicques:
  • T1204.002

Description

This analytic detects successful MSIX/AppX package installations on Windows systems by monitoring EventID 854 in the Microsoft-Windows-AppXDeployment-Server/Operational log. This event is generated when an MSIX/AppX package has been successfully installed on a system. While most package installations are legitimate, monitoring these events can help identify unauthorized or suspicious package installations, especially when correlated with other events such as unsigned package installations (EventID 603 with Flags=8388608) or full trust package installations (EventID 400 with HasFullTrust=true).

Detection logic

`wineventlog_appxdeploymentserver` EventCode=854 
| stats count min(_time) as firstTime max(_time) as lastTime values(Path) as PackagePath by dvc EventCode user_id 
| rename dvc as dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_appx_deployment_package_installation_success_filter`