Potentially Suspicious Script File Created In WindowsApps Directory

Rule Info

Name
Potentially Suspicious Script File Created In WindowsApps Directory
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the creation of a file with a script extension (ps1, vbs, bat) in the "WindowsApps" directory. This could be a sign of a rogue MSIX package.
Reference
https://www.esentire.com/blog/fin7-uses-trusted-brands-and-sponsored-google-ads-to-distribute-msix-payloads
Date
2024-06-06 00:00:00
Modified
None
Id
d36faa80-36d7-44fd-afc2-9080298cefca
Tags
attack.persistence attack.t1546 attack.defense_evasion attack.t1027
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022