Techniques
Sample rules
Potentially Suspicious Windows App Activity
- source: sigma
- technicques:
Description
Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue “.appx” package installation/execution
Detection logic
condition: selection_parent and 1 of selection_susp_* and not 1 of filter_optional_*
filter_optional_terminal:
Image|endswith:
- \powershell.exe
- \cmd.exe
- \pwsh.exe
ParentImage|contains: :\Program Files\WindowsApps\Microsoft.WindowsTerminal
ParentImage|endswith: \WindowsTerminal.exe
selection_parent:
ParentImage|contains: C:\Program Files\WindowsApps\
selection_susp_cli:
CommandLine|contains:
- cmd /c
- Invoke-
- Base64
selection_susp_img:
Image|endswith:
- \cmd.exe
- \cscript.exe
- \mshta.exe
- \powershell.exe
- \pwsh.exe
- \regsvr32.exe
- \rundll32.exe
- \wscript.exe