detection.wiki

Microsoft-Windows-AppModel-Runtime › Event 201

Event ID 201 — Created process ProcessID for application ApplicationName in package PackageName.

Provider
Microsoft-Windows-AppModel-Runtime
Channel
Admin
Level
Informational

Description

Created process ProcessID for application ApplicationName in package PackageName. Message.

Message #

Created process %1 for application %4 in package %2. %5

Fields #

NameDescription
ProcessID UInt32
PackageName UnicodeString
ImageName UnicodeString
ApplicationName UnicodeString
Message UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-AppModel-Runtime",
    "guid": "F1EF270A-0D32-4352-BA52-DBAB41E1D859",
    "event_source_name": "",
    "event_id": 201,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 2305843009213693956,
    "time_created": "2023-11-06T01:55:56.247720+00:00",
    "event_record_id": 466,
    "correlation": {},
    "execution": {
      "process_id": 5324,
      "thread_id": 18660
    },
    "channel": "Microsoft-Windows-AppModel-Runtime/Admin",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ProcessID": 21588,
    "PackageName": "Microsoft.WindowsNotepad_11.2307.27.0_x64__8wekyb3d8bbwe",
    "ImageName": "Notepad.exe",
    "ApplicationName": "Microsoft.WindowsNotepad_8wekyb3d8bbwe!App",
    "Message": "[FinishPackageActivation]"
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

  • Sysinternals Tools AppX Versions Execution source low: Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.

References #