splApache-2.0from splunk/security_content
Windows Developer-Signed MSIX Package Installation
This detection identifies the installation of developer-signed MSIX packages that lack Microsoft Store signatures. All malicious MSIX packages observed in recent threat campaigns (including those from FIN7, Zloader/Storm-0569, and FakeBat/Storm-1113) were developer-signed rather than Microsoft Store signed. Microsoft Store apps have specific publisher IDs containing '8wekyb3d8bbwe' or 'cw5n1h2txyewy', while developer-signed packages lack these identifiers. This detection focuses on EventID 855 from the Microsoft-Windows-AppXDeployment-Server/Operational logs, which indicates a completed package installation.
Quality
51
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_developer_signed_msix_package_installation.yml
`wineventlog_appxdeploymentserver` EventCode=855 NOT PackageMoniker IN ("*8wekyb3d8bbwe*","*cw5n1h2txyewy*")
| stats count min(_time) as firstTime max(_time) as lastTime values(PackageMoniker) as PackageMoniker
BY dvc EventCode user_id
| rename dvc as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_developer_signed_msix_package_installation_filter`