AppX Located in Known Staging Directory Added to Deployment Pipeline

calendar Dec 24, 2025 · attack.defense-evasion  ·
Share on: linkedin copy

Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in a known folder often used as a staging directory.

Sigma rule (View on GitHub)

 1title: AppX Located in Known Staging Directory Added to Deployment Pipeline
 2id: 5cdeaf3d-1489-477c-95ab-c318559fc051
 3status: test
 4description: |
 5        Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in a known folder often used as a staging directory.
 6references:
 7    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
 8    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
 9    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-01-11
12tags:
13    - attack.defense-evasion
14logsource:
15    product: windows
16    service: appxdeployment-server
17detection:
18    selection_eid:
19        EventID: 854
20    selection_paths_forward:
21        Path|contains: # Paths can be written using forward slash if the "file://" protocol is used
22            - ':/Perflogs/'
23            - ':/Users/Public/'
24            - ':/Windows/Temp/'
25            - '/AppdData/Local/Temp/'
26            - '/Desktop/'
27            - '/Downloads/'
28    selection_paths_back:
29        Path|contains: # Paths can be written using forward slash if the "file://" protocol is used
30            - ':\PerfLogs\'
31            - ':\Users\Public\'
32            - ':\Windows\Temp\'
33            - '\AppdData\Local\Temp\'
34            - '\Desktop\'
35            - '\Downloads\'
36    condition: selection_eid and 1 of selection_paths_*
37falsepositives:
38    - Unknown
39level: high

References

Related rules

to-top