Event ID 400 — Deployment DeploymentOperation operation with target volume MountPoint on Package PackageFullName from: Path finished successfully.
Description
Deployment DeploymentOperation operation with target volume MountPoint on Package PackageFullName from: Path finished successfully.
Message #
Fields #
| Name | Description |
|---|---|
DeploymentOperation UInt32 | — |
PackageFullName UnicodeString | — |
Path UnicodeString | 2 from. |
MountPoint UnicodeString | — |
TargetPlatform HexInt32 | — |
SystemVolume Boolean | — |
StorageId UnicodeString | — |
IsCentennial Boolean | — |
PackageType HexInt32 | — |
IsPackageEncrypted Boolean | — |
DeploymentOptions HexInt64 | — |
IsStreamingPackage Boolean | — |
IsInRelatedSet Boolean | — |
IsPackageUsingBDC Boolean | — |
MainPackageFamilyName UnicodeString | — |
CallingProcess UnicodeString | — |
IsOptional Boolean | — |
PackageFlags HexInt32 | — |
PackageFlags2 HexInt32 | — |
HasWin32alacarte Boolean | — |
HasFullTrust Boolean | — |
ExternalLocation UnicodeString | — |
PackageSourceUri UnicodeString | — |
PackageDisplayName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppXDeployment-Server",
"guid": "3F471139-ACB7-4A01-B7A7-FF5DA4BA2D43",
"event_source_name": "",
"event_id": 400,
"version": 0,
"level": 4,
"task": 3,
"opcode": 2,
"keywords": 4611686018427387905,
"time_created": "2023-11-06T06:23:19.438983+00:00",
"event_record_id": 6812,
"correlation": {
"ActivityID": "626F7C94-1079-0000-B9AE-6F627910DA01"
},
"execution": {
"process_id": 1532,
"thread_id": 1660
},
"channel": "Microsoft-Windows-AppXDeploymentServer/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"DeploymentOperation": 12,
"PackageFullName": "MicrosoftWindows.Client.WebExperience_423.23500.0.0_neutral_~_cw5n1h2txyewy",
"Path": " ",
"MountPoint": "C:",
"TargetPlatform": "0x3",
"SystemVolume": true,
"StorageId": "\\\\?\\Volume{7597d2a3-4404-4f99-b979-6233378a81bf}",
"IsCentennial": false,
"PackageType": "0x8",
"IsPackageEncrypted": false,
"DeploymentOptions": "0x10000020",
"IsStreamingPackage": false,
"IsInRelatedSet": false,
"IsPackageUsingBDC": false,
"MainPackageFamilyName": "NULL",
"CallingProcess": "",
"IsOptional": false,
"PackageFlags": "0x0",
"PackageFlags2": "0x800",
"HasWin32alacarte": false,
"HasFullTrust": false,
"ExternalLocation": "",
"PackageSourceUri": "",
"PackageDisplayName": " "
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Potential Malicious AppX Package Installation Attempts source medium: Detects potential installation or installation attempts of known malicious appx packages↳ also matches:Event ID 401: Deployment DeploymentOperation operation with target volume MountPoint on Package PackageFullName from: Path failed with error ErrorCode.
- Windows AppX Deployment Full Trust Package Installation source medium: Detects the installation of MSIX/AppX packages with full trust privileges which run with elevated privileges outside normal AppX container restrictions
Splunk # view in reference
- Windows AppX Deployment Full Trust Package Installation source: The following analytic detects the installation of MSIX/AppX packages with full trust privileges. This detection leverages Windows event logs from the AppXDeployment-Server, specifically focusing on EventCode 400 which indicates a package deployment operation. Full trust packages are significant as they run with elevated privileges outside the normal AppX container restrictions, allowing them to access system resources that regular AppX packages cannot. Adversaries have been observed leveraging full trust MSIX packages to deliver malware, as documented in recent threat intelligence reports. If confirmed malicious, these packages could allow attackers to execute arbitrary code with elevated privileges, establish persistence, or deliver malware while evading traditional detection mechanisms.
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline