From 77f4b0b2ec4222e2b1510cf254e68a2b411b1976 Mon Sep 17 00:00:00 2001 From: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Date: Sat, 24 Jan 2026 21:49:41 +0545 Subject: [PATCH] Merge PR #5741 from @swachchhanda000 - Add Splunk Rules for MSIX/AppX new: Successful MSIX/AppX Package Installation new: Windows AppX Deployment Full Trust Package Installation new: Windows AppX Deployment Unsigned Package Installation new: Windows MSIX Package Support Framework AI_STUBS Execution --------- Co-authored-by: Nasreddine Bencherchali --- ...server_successful_package_installation.yml | 25 +++++++++++ ...server_full_trust_package_installation.yml | 41 +++++++++++++++++++ ...g_server_unsigned_package_installation.yml | 30 ++++++++++++++ ...posh_ps_install_unsigned_appx_packages.yml | 2 + ...oc_creation_win_msix_ai_stub_execution.yml | 34 +++++++++++++++ ...ershell_install_unsigned_appx_packages.yml | 2 + tests/logsource.json | 2 +- tests/sigma_cli_conf.yml | 1 + 8 files changed, 136 insertions(+), 1 deletion(-) create mode 100644 rules-threat-hunting/windows/builtin/appxdeployment_server/win_appxpackaging_server_successful_package_installation.yml create mode 100644 rules/windows/builtin/appxdeployment_server/win_appxpackaging_server_full_trust_package_installation.yml create mode 100644 rules/windows/builtin/appxdeployment_server/win_appxpackaging_server_unsigned_package_installation.yml create mode 100644 rules/windows/process_creation/proc_creation_win_msix_ai_stub_execution.yml diff --git a/rules-threat-hunting/windows/builtin/appxdeployment_server/win_appxpackaging_server_successful_package_installation.yml b/rules-threat-hunting/windows/builtin/appxdeployment_server/win_appxpackaging_server_successful_package_installation.yml new file mode 100644 index 000000000..7e7a00e5e --- /dev/null +++ b/rules-threat-hunting/windows/builtin/appxdeployment_server/win_appxpackaging_server_successful_package_installation.yml @@ -0,0 +1,25 @@ +title: Successful MSIX/AppX Package Installation +id: 289dfa9e-e378-4a56-a9d4-7ed5ee218029 +status: experimental +description: | + Detects successful MSIX/AppX package installations on Windows systems by monitoring EventID 854 in the Microsoft-Windows-AppXDeployment-Server/Operational log. + While most installations are legitimate, this can help identify unauthorized or suspicious package installations. + It is crucial to monitor such events as threat actors may exploit MSIX/AppX packages to deliver and execute malicious payloads. +references: + - https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html +author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-11-03 +tags: + - attack.execution + - attack.t1204.002 + - detection.threat-hunting +logsource: + product: windows + service: appxdeployment-server +detection: + selection: + EventID: 854 + condition: selection +falsepositives: + - Legitimate MSIX/AppX package installations +level: low diff --git a/rules/windows/builtin/appxdeployment_server/win_appxpackaging_server_full_trust_package_installation.yml b/rules/windows/builtin/appxdeployment_server/win_appxpackaging_server_full_trust_package_installation.yml new file mode 100644 index 000000000..3ff183ec0 --- /dev/null +++ b/rules/windows/builtin/appxdeployment_server/win_appxpackaging_server_full_trust_package_installation.yml @@ -0,0 +1,41 @@ +title: Windows AppX Deployment Full Trust Package Installation +id: e54279c7-4910-4e2c-902c-c56a25b549f6 +status: experimental +description: Detects the installation of MSIX/AppX packages with full trust privileges which run with elevated privileges outside normal AppX container restrictions +references: + - https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html +author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-11-03 +tags: + - attack.defense-evasion + - attack.execution + - attack.t1204.002 + - attack.t1553.005 +logsource: + product: windows + service: appxdeployment-server +detection: + selection: + EventID: 400 + HasFullTrust: true + filter_main_legitpath: + PackageSourceUri|startswith: + - 'file:///C:/Program%20Files/' + - 'file:///C:/Program%20Files%20(x86)/' + filter_main_microsoft: + - PackageSourceUri|startswith: 'https://go.microsoft.com/fwlink/?linkid' + - PackageSourceUri|contains: + - '.cdn.microsoft.com' + - '.cdn.office.net/' + filter_main_callerprocess: + CallingProcess|startswith: + - 'sysprep.exe' + - 'svchost.exe,AppReadiness' + filter_optional_x_update: + PackageSourceUri|startswith: 'x-windowsupdate://' + filter_optional_microsoftclient: + PackageFullName|startswith: 'MicrosoftWindows.Client.' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* +falsepositives: + - Some legitimate applications installation which have been missed from filtering can generate fps, thus baselining and tuning is recommended before deploying to production +level: medium diff --git a/rules/windows/builtin/appxdeployment_server/win_appxpackaging_server_unsigned_package_installation.yml b/rules/windows/builtin/appxdeployment_server/win_appxpackaging_server_unsigned_package_installation.yml new file mode 100644 index 000000000..3d4a600c2 --- /dev/null +++ b/rules/windows/builtin/appxdeployment_server/win_appxpackaging_server_unsigned_package_installation.yml @@ -0,0 +1,30 @@ +title: Windows AppX Deployment Unsigned Package Installation +id: 9a025188-6f2d-42f8-bb2f-d3a83d24a5af +related: + - id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a + type: similar + - id: 975b2262-9a49-439d-92a6-0709cccdf0b2 + type: similar +status: experimental +description: Detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter via AppXDeployment-Server events +references: + - https://docs.microsoft.com/en-us/powershell/module/appx/add-appxpackage + - https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html +author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-11-03 +tags: + - attack.defense-evasion + - attack.execution + - attack.t1204.002 + - attack.t1553.005 +logsource: + product: windows + service: appxdeployment-server +detection: + selection: + EventID: 603 + Flags: '8388608' + condition: selection +falsepositives: + - Legitimate installation of unsigned packages for legitimate purposes such as development or testing +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml b/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml index 01e1b8154..2cdcd8875 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml @@ -3,6 +3,8 @@ id: 975b2262-9a49-439d-92a6-0709cccdf0b2 related: - id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a type: similar + - id: 9a025188-6f2d-42f8-bb2f-d3a83d24a5af + type: similar status: test description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages references: diff --git a/rules/windows/process_creation/proc_creation_win_msix_ai_stub_execution.yml b/rules/windows/process_creation/proc_creation_win_msix_ai_stub_execution.yml new file mode 100644 index 000000000..c39b9f2c8 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_msix_ai_stub_execution.yml @@ -0,0 +1,34 @@ +title: Windows MSIX Package Support Framework AI_STUBS Execution +id: af5732ed-764e-489d-826d-0447c8b36242 +status: experimental +description: | + Detects execution of Advanced Installer MSIX Package Support Framework (PSF) components, specifically AI_STUBS executables with original filename 'popupwrapper.exe'. + This activity may indicate malicious MSIX packages build with Advanced Installer leveraging the Package Support Framework to bypass application control restrictions. +references: + - https://redcanary.com/blog/threat-intelligence/msix-installers/ + - https://redcanary.com/threat-detection-report/techniques/installer-packages/ + - https://learn.microsoft.com/en-us/windows/msix/package/package-support-framework + - https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html +author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-11-03 +tags: + - attack.defense-evasion + - attack.execution + - attack.t1218 + - attack.t1553.005 + - attack.t1204.002 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\AI_STUBS\AiStubX64Elevated.exe' + - '\AI_STUBS\AiStubX86Elevated.exe' + - '\AI_STUBS\AiStubX64.exe' + - '\AI_STUBS\AiStubX86.exe' + OriginalFileName: 'popupwrapper.exe' + condition: selection +falsepositives: + - Legitimate applications packaged with Advanced Installer using Package Support Framework +level: low diff --git a/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml b/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml index bda94b9c1..8c9071e47 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml @@ -3,6 +3,8 @@ id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a related: - id: 975b2262-9a49-439d-92a6-0709cccdf0b2 type: similar + - id: 9a025188-6f2d-42f8-bb2f-d3a83d24a5af + type: similar status: test description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages references: diff --git a/tests/logsource.json b/tests/logsource.json index 28763f390..689c35ac7 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -91,7 +91,7 @@ "msexchange-management":[], "applocker":[], "vhdmp":[], - "appxdeployment-server":["Path", "AppId", "FilePath", "ErrorCode", "DeploymentOperation", "PackageFullName", "PackageSourceUri", "PackageDisplayName", "CallingProcess"], + "appxdeployment-server":["Path", "AppId", "FilePath", "ErrorCode", "DeploymentOperation", "PackageFullName", "PackageSourceUri", "PackageDisplayName", "CallingProcess","Flags", "HasFullTrust"], "appxpackaging-om":["subjectName"], "lsa-server":["TargetUserSid", "TargetUserName", "TargetDomainName", "TargetLogonId", "TargetLogonGuid", "EventOrginal", "EventCountTotal", "SidList"], "dns-client":["QueryName", "QueryType", "QueryOptions", "QueryStatus", "QueryResults", "NetworkIndex", "InterfaceIndex", "Status", "ClientPID", "QueryBlob", "DnsServerIpAddress", "ResponseStatus", "SendBlob", "SendBlobContext", "AddressLength", "Address"], diff --git a/tests/sigma_cli_conf.yml b/tests/sigma_cli_conf.yml index 497510938..7dbea2221 100644 --- a/tests/sigma_cli_conf.yml +++ b/tests/sigma_cli_conf.yml @@ -56,6 +56,7 @@ exclusions: 5c84856b-55a5-45f1-826f-13f37250cf4e: number_as_string 749c9f5e-b353-4b90-a9c1-05243357ca4b: number_as_string 85b88e05-dadc-430b-8a9e-53ff1cd30aae: number_as_string + 9a025188-6f2d-42f8-bb2f-d3a83d24a5af: number_as_string # specific_instead_of_generic_logsource 23b71bc5-953e-4971-be4c-c896cda73fc2: specific_instead_of_generic_logsource 693a44e9-7f26-4cb6-b787-214867672d3a: specific_instead_of_generic_logsource