ClearFake Detection Analytics
Queries to detect initial creation of .appx file
//TTP: ClearFake - Possible creation of malicious .appx file
DeviceFileEvents
| where InitiatingProcessFileName =~ "Explorer.exe" and FileName in~ ("AppxProvider.dll","AppxManifest.xml")