Exploring MSIX Threat Landscape
Teruki Yoshikawa, Syogo Hayashi
NorthSec 2025 · Day 1 · Salle de bal
SOC analysts Teruki Yoshikawa and Syogo Hayashi of NTT Security Holdings examined how attackers are evolving beyond known MSIX-based malware delivery to exploit deeper Windows internals. The talk covers Virtual File System (VFS) redirection abuse, PSF Fixup DLL misuse, MSIX modification packages, and an autoupdate persistence mechanism — four novel attack categories that bypassed Microsoft Defender for Endpoint in April 2025 testing. Detection sigma rules and policy-based countermeasures are provided for defenders. ---
AI review
NTT Security Holdings SOC analysts Yoshikawa and Hayashi present four original MSIX attack techniques developed proactively ahead of anticipated threat actor adoption: AppDomainManager injection via VFS-redirected .config files, VFS-based DLL hijacking for AMSI and UAC bypass, modification package cross-certificate trust abuse, and autoupdate-based persistence for post-deployment payload staging. Three of four produced zero alerts in Defender for Endpoint testing as of April 2025. Sigma rules and policy countermeasures provided.