detection.wiki

Microsoft-Windows-AppXDeployment-Server › Event 855

Event ID 855 — Finished resolving action lists.

Provider
Microsoft-Windows-AppXDeployment-Server
Channel
Operational
Level
Informational
Task
AppXDeployment.Task.Server.Dependency

Description

Finished resolving action lists. DeploymentRequest action lists:PackageMoniker.

Message #

Finished resolving action lists. DeploymentRequest action lists:%1.

Fields #

NameDescription
PackageMoniker UnicodeStringFinished resolving action lists. DeploymentRequest action lists.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-AppXDeployment-Server",
    "guid": "3F471139-ACB7-4A01-B7A7-FF5DA4BA2D43",
    "event_source_name": "",
    "event_id": 855,
    "version": 0,
    "level": 4,
    "task": 4,
    "opcode": 0,
    "keywords": 4611686018427387905,
    "time_created": "2023-11-06T06:22:35.475271+00:00",
    "event_record_id": 5859,
    "correlation": {
      "ActivityID": "626F7C94-1079-0003-2383-6F627910DA01"
    },
    "execution": {
      "process_id": 1532,
      "thread_id": 1636
    },
    "channel": "Microsoft-Windows-AppXDeploymentServer/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "PackageMoniker": " addPackageList: MicrosoftWindows.UndockedDevKit_10.0.22621.1_neutral_neutral_cw5n1h2txyewy"
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Splunk # view in reference

  • Windows AppX Deployment Unsigned Package Installation source: The following analytic detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter. This detection leverages Windows event logs from the AppXDeployment-Server, specifically focusing on EventID 603 which indicates the start of a deployment operation with specific deployment flags. The flag value 8388608 corresponds to the -AllowUnsigned option in PowerShell's Add-AppxPackage cmdlet. This activity is significant as adversaries have been observed leveraging unsigned MSIX packages to deliver malware, bypassing signature verification that would normally protect users from malicious packages. If confirmed malicious, this could allow attackers to execute arbitrary code, establish persistence, or deliver malware while evading traditional detection mechanisms.
  • Windows Developer-Signed MSIX Package Installation source: This detection identifies the installation of developer-signed MSIX packages that lack Microsoft Store signatures. All malicious MSIX packages observed in recent threat campaigns (including those from FIN7, Zloader/Storm-0569, and FakeBat/Storm-1113) were developer-signed rather than Microsoft Store signed. Microsoft Store apps have specific publisher IDs containing '8wekyb3d8bbwe' or 'cw5n1h2txyewy', while developer-signed packages lack these identifiers. This detection focuses on EventID 855 from the Microsoft-Windows-AppXDeployment-Server/Operational logs, which indicates a completed package installation.

References #