Ilkka · @ilkka
30 followers · 235 posts · Server mstdn.socialMicrosoft AppX (UWP) concept is OK, but good grief the technical implementation is awful!
I just spent 2 hours fixing a nonsense issue, where the InstallLocation of an app was changed to NULL due to a disk volume change and of course the App failed to start or run or even uninstall. You couldn't re-install it from the store either.
Had to scrub the registry clean with SYSTEM access to get even some control over it, but now it remains to be seen if it helped or not...
#appx #uwp #windows
SECUINFRA Falcon Team · @SI_FalconTeam
21 followers · 10 posts · Server infosec.exchange
As promised, here are our #Yara rules for unsigned #appx/#msix Installer packages:
Installer: https://yaraify.abuse.ch/yarahub/rule/SUS_Unsigned_APPX_MSIX_Installer_Feb23/
Manifest: https://yaraify.abuse.ch/yarahub/rule/SUS_Unsigned_APPX_MSIX_Manifest_Feb23/
Also make sure to check out this thread by @nas_bench on Event Log/Sigma detections: https://twitter.com/nas_bench/status/1613541713741488128
SECUINFRA Falcon Team · @SI_FalconTeam
21 followers · 9 posts · Server infosec.exchange
Proof of Concept: #Malware Delivery via #appx/#msix packages.
In our test case we needed administrative permissions to install the package with putty.exe as our test payload.
We did test it first with a #Wannacry #Ransomware binary, but Windows Defender caught the payload and that didn't look so nice on a screenshot 😅
Our .appx demo package is based off of a in-the-wild sample of #Magniber #Ransomware that was signed with a stolen signature (Jan 2022). With this change in Windows 11 it is now possible to install unsigned appx packages (given required perms).
https://twitter.com/f0wlsec/status/1481338661824307204
Detection opportunities:
- Execution out of C:\Program Files\WindowsApps\
- Looking for the special OID documented by Microsoft here: https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package
We are going to publish our #Yara rules for this tomorrow, stay tuned.
#malware #appx #wannacry #ransomware #Magniber #yara
informapirata :privacypride: · @informapirata
3842 followers · 8765 posts · Server mastodon.unoMobSF
Mobile Security Framework (#MobSF) è un'applicazione completa e automatizzata (#Android/#iOS/#Windows) per svolgere attività di penetration test, #malware analysis e valutazione di sicurezza delle #APP mobile. Il sistema, #opensource, può eseguire analisi statiche e dinamiche e supporta i binari come (#APK, #XAPK, #IPA e #APPX) assieme al codice sorgente e fornisce API REST per una integrazione e automatizzazione all'interno della tua pipeline CI/CD o #DevSecOps.
https://www.redhotcyber.com/post/programmi-hacker-mobsf
#MobSF #XAPK #devsecops #android #malware #app #opensource #apk #ipa #appx