Remote AppX Package Downloaded from File Sharing or CDN Domain

 1title: Remote AppX Package Downloaded from File Sharing or CDN Domain
 2id: 8b48ad89-10d8-4382-a546-50588c410f0d
 3status: test
 4description: |
 5        Detects an appx package that was added to the pipeline of the "to be processed" packages which was downloaded from a file sharing or CDN domain.
 6references:
 7    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
 8    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
 9    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-01-11
12modified: 2025-12-10
13tags:
14    - attack.defense-evasion
15logsource:
16    product: windows
17    service: appxdeployment-server
18detection:
19    selection:
20        EventID: 854
21        Path|contains:
22            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
23            - 'anonfiles.com'
24            - 'cdn.discordapp.com'
25            - 'ddns.net'
26            - 'dl.dropboxusercontent.com'
27            - 'ghostbin.co'
28            - 'github.com'
29            - 'glitch.me'
30            - 'gofile.io'
31            - 'hastebin.com'
32            - 'mediafire.com'
33            - 'mega.nz'
34            - 'onrender.com'
35            - 'pages.dev'
36            - 'paste.ee'
37            - 'pastebin.com'
38            - 'pastebin.pl'
39            - 'pastetext.net'
40            - 'privatlab.com'
41            - 'privatlab.net'
42            - 'send.exploit.in'
43            - 'sendspace.com'
44            - 'storage.googleapis.com'
45            - 'storjshare.io'
46            - 'supabase.co'
47            - 'temp.sh'
48            - 'transfer.sh'
49            - 'trycloudflare.com'
50            - 'ufile.io'
51            - 'w3spaces.com'
52            - 'workers.dev'
53    condition: selection
54falsepositives:
55    - Unlikely, unless the organization uses file sharing or CDN services to distribute internal applications.
56level: high

References

• Inside Malicious Windows Apps for Malware Deployment

  

  Learn how threat actors manipulate Windows to install malicious apps that are trusted by the system, and how to defend against them.

  
  Read More

• Troubleshooting packaging, deployment, and query of Windows apps - Win32 apps

  

  Use these suggestions to troubleshoot problems you experience when packaging, deploying, or querying an app package.

  
  Read More

• https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/

  
  Read More

Related rules

• AppX Located in Known Staging Directory Added to Deployment Pipeline
• AppX Located in Uncommon Directory Added to Deployment Pipeline
• AppX Package Deployment Failed Due to Signing Requirements
• Deployment AppX Package Was Blocked By AppLocker
• Deployment Of The AppX Package Was Blocked By The Policy