Techniques
Sample rules
XBAP Execution From Uncommon Locations Via PresentationHost.EXE
- source: sigma
- technicques:
- t1218
Description
Detects the execution of “.xbap” (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious “.xbap” files any bypass AWL
Detection logic
condition: all of selection* and not 1 of filter_main_*
filter_main_generic:
CommandLine|contains:
- ' C:\Windows\'
- ' C:\Program Files'
selection_cli:
CommandLine|contains: .xbap
selection_img:
- Image|endswith: \presentationhost.exe
- OriginalFileName: PresentationHost.exe