New Process Created In Context Of AppX Package - PsScript

Rule Info

Name
New Process Created In Context Of AppX Package - PsScript
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the usage of the "Invoke-CommandInDesktopPackage" cmdlet to spawn processes in the context of an AppX package. In order to gain access to it's virtualized file system and registry
Reference
https://learn.microsoft.com/en-us/powershell/module/appx/invoke-commandindesktoppackage?view=windowsserver2022-ps
Date
2023-02-01 00:00:00
Modified
None
Id
420d6631-aebd-4590-8c0e-2d63140bc1f9
Tags
attack.execution attack.t1059.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022