LoFP / this hunting query will detect legitimate msix package interactions from normal users. it is not designed to specifically identify malicious activity but rather to provide visibility into all msix package interactions. security teams should review the results and look for unusual patterns, unexpected packages, or suspicious file paths.

Techniques

• T1204.002

Sample rules

Windows MSIX Package Interaction

• source: splunk
• technicques:
  • T1204.002

Description

This hunting query detects user interactions with MSIX packages by monitoring EventCode 171 in the Microsoft-Windows-AppXPackaging/Operational logs. These events are generated when a user clicks on or attempts to interact with an MSIX package, even if the package is not fully installed. This information can be valuable for security teams to identify what MSIX packages users are attempting to open in their environment, which may help detect malicious MSIX packages before they’re fully installed. Monitoring these interactions can provide early warning of potential MSIX package abuse, which has been leveraged by threat actors such as FIN7, Zloader (Storm-0569), and FakeBat (Storm-1113).

Detection logic

`wineventlog_appxpackaging` EventCode=171 
| stats count min(_time) as firstTime max(_time) as lastTime values(packageFullName) as packageFullName values(user_id) as user_id by host EventCode 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_msix_package_interaction_filter`