This detection rule aims to identify potential installation or installation attempts of known malicious AppX packages on Windows systems. The rule monitors specific Event IDs (400, 401) associated with the AppX deployment server and looks for the presence of a specific PackageFullName indicative of a known malicious package. Given the rising trend of malware utilizing the AppX mechanism to deploy and execute their payloads, timely detection can help prevent serious security breaches. The rule's effectiveness hinges on the understanding of legitimate versus malicious package identifiers, and it is crucial to consider potential false positives, particularly in rare cases where malicious packages mimic legitimate application names and versions. Continuous refinement of the detection criteria and updates based on the threat landscape are recommended to maintain its relevance and accuracy.