XBAP Execution From Uncommon Locations Via PresentationHost.EXE (d22e2925-cfd8-463f-96f6-89cec9d9bc5f)

Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
XBAP Execution From Uncommon Locations Via PresentationHost.EXE (d22e2925-cfd8-463f-96f6-89cec9d9bc5f)	Sigma-Rules	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	1