Microsoft Appx packages signed with stolen certificates have been used by Magniber ransomware in the past. For todays yara rule I wanted to simple detect microsoft appx files. This rule is going to be a building block for me to detect suspicous appx files in the future
Here is the Yara rule that I created for detecting appx files:
rule gen_appx_files {
meta:
author = "Colin Cowie"
description = "Detects appx files"
reference = "https://twitter.com/f0wlsec/status/1481338661824307204"
strings:
$header = { 50 4B 03 04 }
$xml_string = "AppxManifest.xmlPK"
$ct_xml = "[Content_Types].xmlPK"
$ci_cat = "AppxMetadata/CodeIntegrity.catPK"
$signature_string = "AppxSignature.p7xPK"
$block_map = "AppxBlockMap.xmlPK"
condition:
$header at 0
and $xml_string and $ct_xml and $ci_cat and $signature_string and $block_map
}
The file header here is a generic archive header. During the process of writing this rule I had to do a bit of testing with figuring out what strings are unique to microsoft appx. While reviewing the results of retro hunting a noticied a few executables that don't seem to be appx but for the most part this rule works alright!