Merge pull request #3908 from nasbench/nasbench-rule-devel

feat: new rules and updates

rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml

@@ -0,0 +1,25 @@
+title: Malicious AppX Package Installed
+id: 09d3b48b-be17-47f5-bf4e-94e7e75d09ce
+status: experimental
+description: Detects installation of known malicious appx packages
+references:
+    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
+    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
+    - https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/
+author: Nasreddine Bencherchali
+date: 2023/01/11
+tags:
+    - attack.defense_evasion
+logsource:
+    product: windows
+    service: appxdeployment-server
+detection:
+    selection:
+        EventID: 401
+        # Add more malicious package names
+        # TODO: Investigate the packages here https://github.com/sophoslabs/IoCs/blob/master/Troj-BazarBackdoor.csv based on this report https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
+        PackageFullName|contains: '3669e262-ec02-4e9d-bcb4-3d008b4afac9'
+    condition: selection
+falsepositives:
+    - Rare occasions where a malicious package uses the exact same name and version as a legtimate application
+level: medium

rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_appx_package_installation.yml

@@ -0,0 +1,24 @@
+title: Suspicious AppX Package Installation Attempt
+id: 898d5fc9-fbc3-43de-93ad-38e97237c344
+status: experimental
+description: Detects an appx package installation with the error code "0x80073cff". Whihc indicates that the package didn't meet the sgining requirements and could be suspicious
+references:
+    - Internal Research
+    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
+    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
+    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
+author: Nasreddine Bencherchali
+date: 2023/01/11
+tags:
+    - attack.defense_evasion
+logsource:
+    product: windows
+    service: appxdeployment-server
+detection:
+    selection:
+        EventID: 401
+        ErrorCode: '0x80073cff' # Check ref section to learn more about this error code
+    condition: selection
+falsepositives:
+    - Legitimate AppX packages not signed by MS used part of an enterprise
+level: medium

rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_domains.yml

@@ -0,0 +1,42 @@
+title: Suspicious Remote AppX Package Locations
+id: 8b48ad89-10d8-4382-a546-50588c410f0d
+status: experimental
+description: Detects an appx package added the pipeline of the "to be processed" packages which is downloaded from a suspicious domain
+references:
+    - Internal Research
+    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
+    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
+    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
+author: Nasreddine Bencherchali
+date: 2023/01/11
+tags:
+    - attack.defense_evasion
+logsource:
+    product: windows
+    service: appxdeployment-server
+detection:
+    selection:
+        EventID: 854
+        Path|contains:
+            - 'transfer.sh'
+            - 'raw.githubusercontent.com'
+            - 'gist.githubusercontent.com'
+            - 'pastebin.com'
+            - 'cdn.discordapp.com/attachments/'
+            - 'mediafire.com'
+            - 'mega.nz'
+            - 'ddns.net'
+            - '.paste.ee'
+            - '.hastebin.com'
+            - '.ghostbin.co/'
+            - 'ufile.io'
+            - 'storage.googleapis.com'
+            - 'anonfiles.com'
+            - 'send.exploit.in'
+            - 'privatlab.net'
+            - 'privatlab.com'
+            - 'sendspace.com'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_package_locations.yml

@@ -0,0 +1,37 @@
+title: Suspicious AppX Package Locations
+id: 5cdeaf3d-1489-477c-95ab-c318559fc051
+status: experimental
+description: Detects an appx package added the pipeline of the "to be processed" packages which is located in suspicious locations
+references:
+    - Internal Research
+    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
+    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
+    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
+author: Nasreddine Bencherchali
+date: 2023/01/11
+tags:
+    - attack.defense_evasion
+logsource:
+    product: windows
+    service: appxdeployment-server
+detection:
+    selection:
+        EventID: 854
+        Path|contains:
+            # Paths can be written using forward slash if the "file://" protocol is used
+            - 'C:\Users\Public\'
+            - '/users/public/'
+            - 'C:\PerfLogs\'
+            - 'C:/perflogs/'
+            - '\Desktop\'
+            - '/desktop/'
+            - '\Downloads\'
+            - '/Downloads/'
+            - 'C:\Windows\Temp\'
+            - 'C:/Windows/Temp/'
+            - '\AppdData\Local\Temp\'
+            - '/AppdData/Local/Temp/'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high

rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml

@@ -0,0 +1,37 @@
+title: Uncommon AppX Package Locations
+id: c977cb50-3dff-4a9f-b873-9290f56132f1
+status: experimental
+description: Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations
+references:
+    - Internal Research
+    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
+    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
+    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
+author: Nasreddine Bencherchali
+date: 2023/01/11
+tags:
+    - attack.defense_evasion
+logsource:
+    product: windows
+    service: appxdeployment-server
+detection:
+    selection:
+        EventID: 854
+    filter_generic:
+        Path|contains:
+            # Paths can be written using forward slash if the "file://" protocol is used
+            - 'C:\Program Files\WindowsApps\'
+            - 'C:\Program Files (x86)\'
+            - 'C:\Windows\SystemApps\'
+            - 'C:\Windows\PrintDialog\'
+            - 'C:\Windows\ImmersiveControlPanel\'
+            - 'x-windowsupdate://'
+            - 'file:///C:/Program%20Files' # Also covers 'file:///C:/Program%20Files%20(x86)/'
+    filter_specific:
+        Path|contains:
+            - 'https://statics.teams.cdn.office.net/'
+            - 'microsoft.com' # Example: https://go.microsoft.com/fwlink/?linkid=2160968
+    condition: selection and not 1 of filter_*
+falsepositives:
+    - Unknown
+level: medium

rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml

@@ -1,13 +1,13 @@
-title: AppInstaller Attempts From URL by DNS
+title: AppX Package Installation Attempts Via AppInstaller
 id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a
 status: test
-description: AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL
+description: AppInstaller.exe is spawned by the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL
 references:
     - https://twitter.com/notwhickey/status/1333900137232523264
     - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/
 author: frack113
 date: 2021/11/24
-modified: 2022/12/25
+modified: 2023/01/12
 tags:
     - attack.command_and_control
     - attack.t1105

rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml

@@ -1,5 +1,12 @@
 title: Change PowerShell Policies to an Insecure Level - PowerShell
 id: 61d0475c-173f-4844-86f7-f3eebae1c66b
+related:
+    - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # ProcCreation Registry
+      type: similar
+    - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet
+      type: similar
+    - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # Registry
+      type: similar
 status: experimental
 description: Detects use of Set-ExecutionPolicy to set insecure policies
 references:

rules/windows/process_access/proc_access_win_invoke_patchingapi.yml

@@ -7,7 +7,7 @@ references:
     - https://twitter.com/D1rkMtr/status/1611471891193298944?s=20
 author: frack113
 date: 2023/01/07
-modified: 2023/01/09
+modified: 2023/01/11
 tags:
     - attack.defense_evasion
     - attack.t1562.002
@@ -20,12 +20,20 @@ detection:
         CallTrace|startswith: 'C:\Windows\SYSTEM32\ntdll.dll+'
         CallTrace|contains: '|UNKNOWN('
         CallTrace|endswith: ')'
-    filter_msbuild:
-        SourceImage|startswith: 'C:\Program Files\Microsoft Visual Studio\'
-        SourceImage|endswith:
-            - '\MSBuild\Current\Bin\amd64\MSBuild.exe'
-            - '\MSBuild\Current\Bin\MSBuild.exe'
-        TargetImage|startswith: 'C:\Program Files\Microsoft Visual Studio\'
+    filter_generic:
+        SourceImage|startswith:
+            - 'C:\Program Files\'
+            - 'C:\Program Files (x86)\'
+            - 'C:\Windows\System32\'
+            - 'C:\Windows\SysWOW64\'
+        TargetImage|startswith:
+            - 'C:\Program Files\'
+            - 'C:\Program Files (x86)\'
+            - 'C:\Windows\System32\'
+            - 'C:\Windows\SysWOW64\'
+    filter_thor:
+        SourceImage|startswith: 'C:\Windows\Temp\asgard2-agent\'
+        SourceImage|endswith: '\thor\thor64.exe'
     condition: selection and not 1 of filter_*
 falsepositives:
     - Unknown

rules/windows/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml

@@ -1,5 +1,12 @@
 title: Change PowerShell Policies to an Insecure Level
 id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180
+related:
+    - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # ProcCreation Registry
+      type: similar
+    - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # ScriptBlock
+      type: similar
+    - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # Registry
+      type: similar
 status: experimental
 description: Detects use of executionpolicy option to set insecure policies
 references:

rules/windows/process_creation/proc_creation_win_set_unsecure_powershell_policy.yml

@@ -0,0 +1,34 @@
+title: Potential PowerShell Execution Policy Tampering - ProcCreation
+id: cf2e938e-9a3e-4fe8-a347-411642b28a9f
+related:
+    - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # ProcCreation Registry
+      type: similar
+    - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet
+      type: similar
+    - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # PowerShell ScriptBlock
+      type: similar
+status: experimental
+description: Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine
+references:
+    - https://learn.microsoft.com/de-de/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3
+author: Nasreddine Bencherchali
+date: 2023/01/11
+tags:
+    - attack.defense_evasion
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_path:
+        CommandLine|contains:
+            - '\ShellIds\Microsoft.PowerShell\ExecutionPolicy'
+            - '\Policies\Microsoft\Windows\PowerShell\ExecutionPolicy'
+    selection_values:
+        CommandLine|contains:
+            - 'Bypass'
+            - 'RemoteSigned'
+            - 'Unrestricted'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml

@@ -0,0 +1,38 @@
+title: Suspicious Windows App Activity
+id: f91ed517-a6ba-471d-9910-b3b4a398c0f3
+status: experimental
+description: Detects suspicious children of application launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution
+references:
+    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
+    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
+author: Nasreddine Bencherchali
+date: 2023/01/12
+tags:
+    - attack.defense_evasion
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_parent:
+        #GrandParentImage|endswith: '\sihost.exe'
+        ParentImage|contains: 'C:\Program Files\WindowsApps\'
+    selection_susp_img:
+        Image|endswith:
+            # You can add more LOLBINs
+            - '\poweshell.exe'
+            - '\pwsh.exe'
+            - '\rundll32.exe'
+            - '\regsvr32.exe'
+            - '\mshta.exe'
+            - '\cscript.exe'
+            - '\wscript.exe'
+    selection_susp_cli:
+        # You can add more suspicious keywords
+        CommandLine|contains:
+            - 'cmd /c'
+            - 'Invoke-'
+            - 'Base64'
+    condition: selection_parent and 1 of selection_susp_*
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_susp_cmd.yml

@@ -6,7 +6,7 @@ references:
     - https://github.com/Wh04m1001/SysmonEoP
 author: frack113, Tim Shelton (update fp)
 date: 2022/12/05
-modified: 2023/01/10
+modified: 2023/01/11
 tags:
     - attack.privilege_escalation
     - attack.defense_evasion
@@ -53,6 +53,10 @@ detection:
         ParentImage|startswith: 'C:\Windows\SysWOW64\config\systemprofile\Citrix\UpdaterBinaries\'
         ParentImage|endswith: '\CitrixReceiverUpdater.exe'
         Image|endswith: '\cmd.exe'
+    filter_thor:
+        ParentImage|endswith: '\python.exe'
+        CommandLine: 'C:\WINDOWS\system32\cmd.exe /c "ver"'
+        CurrentDirectory|contains: 'C:\WINDOWS\Temp\asgard2-agent\'
     condition: all of selection_* and not 1 of filter_*
 falsepositives:
     - Unknown

rules/windows/process_creation/proc_creation_win_turn_on_dev_features.yml

@@ -0,0 +1,28 @@
+title: Potential Signing Bypass Via Windows Developer Features
+id: a383dec4-deec-4e6e-913b-ed9249670848
+status: experimental
+description: Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
+references:
+    - Internal Research
+    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
+author: Nasreddine Bencherchali
+date: 2023/01/11
+tags:
+    - attack.defense_evasion
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\SystemSettingsAdminFlows.exe'
+        - OriginalFileName: 'SystemSettingsAdminFlows.EXE'
+    selection_flag:
+        CommandLine|contains: 'TurnOnDeveloperFeatures'
+    selection_options:
+        CommandLine|contains:
+            - 'DeveloperUnlock'
+            - 'EnableSideloading'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high

rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml

@@ -0,0 +1,41 @@
+title: Potential PowerShell Execution Policy Tampering
+id: fad91067-08c5-4d1a-8d8c-d96a21b37814
+related:
+    - id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # Registry
+      type: similar
+    - id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet
+      type: similar
+    - id: 61d0475c-173f-4844-86f7-f3eebae1c66b # PowerShell ScriptBlock
+      type: similar
+status: experimental
+description: Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution
+references:
+    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3
+author: Nasreddine Bencherchali
+date: 2023/01/11
+tags:
+    - attack.defense_evasion
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        EventType: SetValue
+        TargetObject|endswith:
+            # Note for future readers: For PowerShell 7+ the ExecutionPolicy is handled via a setting file due to the fact that PWSH7 is available for mac and linux
+            # Attackers can create a per-user setting file (powershell.config.json) and set the execution policy there
+            # Learn more here: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_powershell_config?view=powershell-7.3
+            - '\ShellIds\Microsoft.PowerShell\ExecutionPolicy'
+            - '\Policies\Microsoft\Windows\PowerShell\ExecutionPolicy'
+        Details|contains:
+            - 'Bypass'
+            - 'RemoteSigned'
+            - 'Unrestricted'
+    filter_svchost:
+        Image|startswith:
+            - 'C:\Windows\System32\'
+            - 'C:\Windows\SysWOW64\'
+    condition: selection and not 1 of filter_*
+falsepositives:
+    - Unknown
+level: medium

tests/logsource.json

@@ -87,7 +87,8 @@
                 "printservice-admin":[],
                 "msexchange-management":[],
                 "applocker":[],
-				"vhdmp":[]
+                "vhdmp":[],
+                "appxdeployment-server":["Path", "AppId", "FilePath", "ErrorCode", "DeploymentOperation", "PackageFullName", "PackageSourceUri", "PackageDisplayName", "CallingProcess"]
             }
         },
         "linux":{

tools/config/elk-windows.yml

@@ -118,5 +118,10 @@ logsources:
     product: windows
     service: vhdmp
     conditions:
-      EventLog: 'Microsoft-Windows-VHDMP-Operational'
+      EventLog: 'Microsoft-Windows-VHDMP/Operational'
+  windows-appxdeployment-server:
+    product: windows
+    service: appxdeployment-server
+    conditions:
+      EventLog: 'Microsoft-Windows-AppXDeploymentServer/Operational'
 defaultindex: logstash-*

tools/config/elk-winlogbeat-sp.yml

@@ -118,7 +118,12 @@ logsources:
     product: windows
     service: vhdmp
     conditions:
-      log_name: 'Microsoft-Windows-VHDMP-Operational'
+      log_name: 'Microsoft-Windows-VHDMP/Operational'
+  windows-appxdeployment-server:
+    product: windows
+    service: appxdeployment-server
+    conditions:
+      log_name: 'Microsoft-Windows-AppXDeploymentServer/Operational'
 defaultindex: <winlogbeat-{now/d}>
 # Extract all field names with yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: event_data.\1/g'

tools/config/elk-winlogbeat.yml

@@ -118,7 +118,12 @@ logsources:
     product: windows
     service: vhdmp
     conditions:
-      logname: 'Microsoft-Windows-VHDMP-Operational'
+      logname: 'Microsoft-Windows-VHDMP/Operational'
+  windows-appxdeployment-server:
+    product: windows
+    service: appxdeployment-server
+    conditions:
+      logname: 'Microsoft-Windows-AppXDeploymentServer/Operational'
 defaultindex: winlogbeat-*
 # Extract all field names with yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: event_data.\1/g'

tools/config/fireeye-helix.yml

@@ -146,7 +146,12 @@ logsources:
         product: windows
         service: vhdmp
         conditions:
-            channel: 'Microsoft-Windows-VHDMP-Operational'
+            channel: 'Microsoft-Windows-VHDMP/Operational'
+    windows-appxdeployment-server:
+        product: windows
+        service: appxdeployment-server
+        conditions:
+            channel: 'Microsoft-Windows-AppXDeploymentServer/Operational'
     linux:
         product: linux
         index: posix

tools/config/generic/windows-services.yml

@@ -197,5 +197,9 @@ logsources:
         product: windows
         service: vhdmp
         conditions:
-            Provider_Name: 'Microsoft-Windows-VHDMP-Operational'
-            
+            Provider_Name: 'Microsoft-Windows-VHDMP/Operational'
+    windows-appxdeployment-server:
+        product: windows
+        service: appxdeployment-server
+        conditions:
+            Provider_Name: 'Microsoft-Windows-AppXDeploymentServer/Operational'

tools/config/hawk.yml

@@ -132,7 +132,12 @@ logsources:
    product: windows
    service: vhdmp
    conditions:
-     event_channel: 'Microsoft-Windows-VHDMP-Operational'
+     event_channel: 'Microsoft-Windows-VHDMP/Operational'
+ windows-appxdeployment-server:
+   product: windows
+   service: appxdeployment-server
+   conditions:
+     event_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational'
  windows-network-connection:
    product: windows
    category: network_connection

tools/config/logpoint-windows.yml

@@ -118,7 +118,12 @@ logsources:
     product: windows
     service: vhdmp
     conditions:
-      event_source: 'Microsoft-Windows-VHDMP-Operational'
+      event_source: 'Microsoft-Windows-VHDMP/Operational'
+  windows-appxdeployment-server:
+    product: windows
+    service: appxdeployment-server
+    conditions:
+      event_source: 'Microsoft-Windows-AppXDeploymentServer/Operational'
 fieldmappings:
     EventID: event_id
     FailureCode: result_code

tools/config/logstash-windows.yml

@@ -139,5 +139,10 @@ logsources:
     product: windows
     service: vhdmp
     conditions:
-      Channel: 'Microsoft-Windows-VHDMP-Operational'
+      Channel: 'Microsoft-Windows-VHDMP/Operational'
+  windows-appxdeployment-server:
+    product: windows
+    service: appxdeployment-server
+    conditions:
+      Channel: 'Microsoft-Windows-AppXDeploymentServer/Operational'
 defaultindex: logstash-*

tools/config/powershell.yml

@@ -160,4 +160,9 @@ logsources:
     product: windows
     service: vhdmp
     conditions:
-      LogName: 'Microsoft-Windows-VHDMP-Operational'
+      LogName: 'Microsoft-Windows-VHDMP/Operational'
+  windows-appxdeployment-server:
+    product: windows
+    service: appxdeployment-server
+    conditions:
+      LogName: 'Microsoft-Windows-AppXDeploymentServer/Operational'

tools/config/splunk-windows.yml

@@ -180,6 +180,11 @@ logsources:
     product: windows
     service: vhdmp
     conditions:
-      source: 'Microsoft-Windows-VHDMP-Operational'
+      source: 'WinEventLog:Microsoft-Windows-VHDMP/Operational'
+  windows-appxdeployment-server:
+    product: windows
+    service: appxdeployment-server
+    conditions:
+      source: 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational'
 fieldmappings:
   EventID: EventCode

tools/config/sumologic.yml

@@ -149,7 +149,12 @@ logsources:
     product: windows
     service: vhdmp
     conditions:
-      source: 'Microsoft-Windows-VHDMP-Operational'
+      source: 'Microsoft-Windows-VHDMP/Operational'
+  windows-appxdeployment-server:
+    product: windows
+    service: appxdeployment-server
+    conditions:
+      source: 'Microsoft-Windows-AppXDeploymentServer/Operational'
   apache:
     service: apache
     index: WEBSERVER

tools/config/thor.yml

@@ -424,6 +424,11 @@ logsources:
     service: vhdmp
     sources:
       - 'WinEventLog:Microsoft-Windows-VHDMP/Operational'
+  windows-appxdeployment-server:
+    product: windows
+    service: appxdeployment-server
+    sources:
+      - 'WinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational'
   apache:
     category: webserver
     sources:

tools/config/winlogbeat-modules-enabled.yml

@@ -163,7 +163,12 @@ logsources:
     product: windows
     service: vhdmp
     conditions:
-      winlog_channel: 'Microsoft-Windows-VHDMP-Operational'
+      winlog_channel: 'Microsoft-Windows-VHDMP/Operational'
+  windows-appxdeployment-server:
+    product: windows
+    service: appxdeployment-server
+    conditions:
+      winlog_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational'
 defaultindex: winlogbeat-*
 # Extract all field names with yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: winlog.event_data.\1/g'

tools/config/winlogbeat-old.yml

@@ -126,7 +126,12 @@ logsources:
     product: windows
     service: vhdmp
     conditions:
-      log_name: 'Microsoft-Windows-VHDMP-Operational'
+      log_name: 'Microsoft-Windows-VHDMP/Operational'
+  windows-appxdeployment-server:
+    product: windows
+    service: appxdeployment-server
+    conditions:
+      log_name: 'Microsoft-Windows-AppXDeploymentServer/Operational'
 defaultindex: winlogbeat-*
 # Extract all field names with yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: event_data.\1/g'

tools/config/winlogbeat.yml

@@ -152,7 +152,12 @@ logsources:
     product: windows
     service: vhdmp
     conditions:
-      winlog_channel: 'Microsoft-Windows-VHDMP-Operational'
+      winlog_channel: 'Microsoft-Windows-VHDMP/Operational'
+  windows-appxdeployment-server:
+    product: windows
+    service: appxdeployment-server
+    conditions:
+      winlog_channel: 'Microsoft-Windows-AppXDeploymentServer/Operational'
 defaultindex: winlogbeat-*
 # Extract all field names with yq:
 # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/    \1: winlog.event_data.\1/g'

tools/config/zircolite.yml

@@ -113,9 +113,14 @@ logsources:
     product: windows
     service: bits-client
     conditions:
-      Channel: 'Microsoft-Windows-Bits-Client/Operational' 
+      Channel: 'Microsoft-Windows-Bits-Client/Operational'
   windows-vhdmp-Operational:
     product: windows
     service: vhdmp
     conditions:
-      Channel: 'Microsoft-Windows-VHDMP-Operational'
+      Channel: 'Microsoft-Windows-VHDMP/Operational'
+  windows-appxdeployment-server:
+    product: windows
+    service: appxdeployment-server
+    conditions:
+      Channel: 'Microsoft-Windows-AppXDeploymentServer/Operational'