Detection rules › Sigma
Windows MSIX Package Support Framework AI_STUBS Execution
Detects execution of Advanced Installer MSIX Package Support Framework (PSF) components, specifically AI_STUBS executables with original filename 'popupwrapper.exe'. This activity may indicate malicious MSIX packages build with Advanced Installer leveraging the Package Support Framework to bypass application control restrictions.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1204.002 User Execution: Malicious File |
| Defense Evasion | T1218 System Binary Proxy Execution, T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: selection
or:
Image|endswith: '\AI_STUBS\AiStubX64.exe'
Image|endswith: '\AI_STUBS\AiStubX64Elevated.exe'
Image|endswith: '\AI_STUBS\AiStubX86.exe'
Image|endswith: '\AI_STUBS\AiStubX86Elevated.exe'
OriginalFileName: popupwrapper.exe
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Image | ends_with |
|
OriginalFileName | eq |
|