This detection rule identifies the installation of MSIX/AppX packages that operate with full trust privileges on Windows systems, which poses a security risk due to their ability to bypass standard AppX container restrictions. Full trust applications can execute elevated actions that might be malicious if installed without appropriate verification. The detection mechanism is built on monitoring specific Event IDs (400) that represent such installations. The rule scans for elevated installation actions while applying various filters to distinguish between legitimate and potentially malicious package sources. It excludes packages from certain paths commonly used for standard applications and verifies if the invoking processes belong to expected Windows services. Additionally, it uses criteria to eliminate common sources of false positives that can arise from legitimate application installations. While effective, the rule should undergo baseline tuning to minimize false alerts before its implementation in production environments.