Windows AppX Deployment Full Trust Package Installation

Severity: medium
Author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)
Source: upstream

Detects the installation of MSIX/AppX packages with full trust privileges which run with elevated privileges outside normal AppX container restrictions

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1204.002` User Execution: Malicious File
Defense Evasion	`T1553.005` Subvert Trust Controls: Mark-of-the-Web Bypass

Event coverage

Provider	Event ID	Title
AppXDeployment-Server	400	Deployment DeploymentOperation operation with target volume MountPoint on Package PackageFullName from: Path finished successfully.

Stages and Predicates

Stage 1: `selection`

HasFullTrust: true

Stage 2: `not 1 of filter_main_*`

or:
CallingProcess|startswith: 'svchost.exe,AppReadiness'
CallingProcess|startswith: sysprep.exe
PackageSourceUri|contains: .cdn.microsoft.com
PackageSourceUri|contains: '.cdn.office.net/'
PackageSourceUri|startswith: 'file:///C:/Program%20Files%20(x86)/'
PackageSourceUri|startswith: 'file:///C:/Program%20Files/'
PackageSourceUri|startswith: 'https://go.microsoft.com/fwlink/?linkid'

Stage 3: `not 1 of filter_optional_*`

or:
PackageFullName|startswith: MicrosoftWindows.Client.
PackageSourceUri|startswith: 'x-windowsupdate://'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CallingProcess`	starts_with	`svchost.exe,AppReadiness` `sysprep.exe`
`HasFullTrust`	eq	`true`
`PackageFullName`	starts_with	`MicrosoftWindows.Client.`
`PackageSourceUri`	match	`.cdn.microsoft.com` `.cdn.office.net/`
`PackageSourceUri`	starts_with	`file:///C:/Program%20Files%20(x86)/` `file:///C:/Program%20Files/` `https://go.microsoft.com/fwlink/?linkid` `x-windowsupdate://`