Suspicious Windows App Activity

Rule Info

Name
Suspicious Windows App Activity
Description
Detects suspicious children of application launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution
Reference
https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
Modified
None
Date
2023-01-12 00:00:00
Author
Nasreddine Bencherchali (Nextron Systems)
Tags
attack.defense_evasion DEMO
Id
f91ed517-a6ba-471d-9910-b3b4a398c0f3
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=f91ed517-a6ba-471d-9910-b3b4a398c0f3

Rule History

Author
Commit
Title
Date
Nasreddine Bencherchali
7c38a5c49
chore: add nextron authors tag
2023-02-01
Nasreddine Bencherchali
67ea98a6d
feat: more updates and fixes
2023-01-12
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022