some legitimate applications installation which have been missed from filtering can generate fps, thus baselining and tuning is recommended before deploying to production

Techniques

Sample rules

Windows AppX Deployment Full Trust Package Installation

source: sigma
technicques:
- t1204
- t1204.002
- t1553
- t1553.005

Description

Detects the installation of MSIX/AppX packages with full trust privileges which run with elevated privileges outside normal AppX container restrictions

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_callerprocess:
  CallingProcess|startswith:
  - sysprep.exe
  - svchost.exe,AppReadiness
filter_main_legitpath:
  PackageSourceUri|startswith:
  - file:///C:/Program%20Files/
  - file:///C:/Program%20Files%20(x86)/
filter_main_microsoft:
- PackageSourceUri|startswith: https://go.microsoft.com/fwlink/?linkid
- PackageSourceUri|contains:
  - .cdn.microsoft.com
  - .cdn.office.net/
filter_optional_microsoftclient:
  PackageFullName|startswith: MicrosoftWindows.Client.
filter_optional_x_update:
  PackageSourceUri|startswith: x-windowsupdate://
selection:
  EventID: 400
  HasFullTrust: true