-
Notifications
You must be signed in to change notification settings - Fork 447
Expand file tree
/
Copy pathwindows_event_log_appxpackaging_171.yml
More file actions
65 lines (60 loc) · 2.51 KB
/
windows_event_log_appxpackaging_171.yml
File metadata and controls
65 lines (60 loc) · 2.51 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
name: Windows Event Log AppXPackaging 171
id: 2d0f8e3c-a2d7-4b9e-8f1c-6a5d7e3e9f2b
version: 1
date: '2025-08-05'
author: Michael Haag, Splunk
description: 'This data source captures Windows Event Logs from the Microsoft-Windows-AppXPackaging/Operational
channel, specifically focusing on EventCode 171. These events are generated when
a user clicks on or attempts to interact with an MSIX package, even if the package
is not fully installed.
Event ID 171 provides information about user interactions with MSIX packages, including
the package full name and the user who initiated the interaction. This data is valuable
for security monitoring as it can help identify what MSIX packages users are attempting
to open in an environment, which may help detect malicious MSIX packages before
they''re fully installed.
MSIX package abuse has been observed in various threat campaigns, including those
from FIN7, Zloader (Storm-0569), and FakeBat (Storm-1113). Monitoring these interactions
can provide early warning of potential MSIX package abuse.
'
source: XmlWinEventLog:Microsoft-Windows-AppxPackaging/Operational
sourcetype: XmlWinEventLog
separator: EventCode
supported_TA:
- name: Splunk Add-on for Microsoft Windows
url: https://splunkbase.splunk.com/app/742
version: 9.1.2
fields:
- CategoryString
- Channel
- Computer
- EventCode
- EventData_Xml
- EventID
- EventRecordID
- Keywords
- Level
- Opcode
- ProcessID
- RecordNumber
- SourceName
- SystemTime
- System_Props_Xml
- Task
- TaskCategory
- ThreadID
- Version
- _time
- dest
- host
- packageFullName
- user_id
references:
- https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
- https://www.appdeploynews.com/packaging-types/msix/troubleshooting-an-msix-package/
- https://redcanary.com/blog/msix-installers/
example_log: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
Name='Microsoft-Windows-AppXPackaging' Guid='{4bfe0fde-99d6-5630-8a47-da7bfaefd876}'/><EventID>171</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x4000000000000000</Keywords><TimeCreated
SystemTime='2025-08-05T12:34:56.7890123Z'/><EventRecordID>123456</EventRecordID><Correlation/><Execution
ProcessID='1234' ThreadID='5678'/><Channel>Microsoft-Windows-AppXPackaging/Operational</Channel><Computer>DESKTOP-EXAMPLE</Computer><Security
UserID='S-1-5-21-1234567890-1234567890-1234567890-1001'/></System><EventData><Data
Name='packageFullName'>MaliciousApp_1.0.0.0_x64__abcd1234</Data></EventData></Event>