New Process Created In Context Of AppX Package - ProcCreation

Rule Info

Name
New Process Created In Context Of AppX Package - ProcCreation
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the usage of the "Invoke-CommandInDesktopPackage" cmdlet to spawn processes in the context of an AppX package. In order to gain access to it's virtualized file system and registry
Date
2023-02-01 00:00:00
Modified
None
Id
87506372-81e5-4ecd-9038-1019d5517a1c
Tags
attack.execution attack.t1059.001
Type
Nextron Sigma feed only (private)

Rule History