Suspicious Remote AppX Package Locations

 1title: Suspicious Remote AppX Package Locations
 2id: 8b48ad89-10d8-4382-a546-50588c410f0d
 3status: experimental
 4description: |
 5        Detects an appx package added to the pipeline of the "to be processed" packages which was downloaded from a suspicious domain.
 6references:
 7    - Internal Research
 8    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
 9    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
10    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023-01-11
13modified: 2024-08-22
14tags:
15    - attack.defense-evasion
16logsource:
17    product: windows
18    service: appxdeployment-server
19detection:
20    selection:
21        EventID: 854
22        Path|contains:
23            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
24            - 'anonfiles.com'
25            - 'cdn.discordapp.com'
26            - 'ddns.net'
27            - 'dl.dropboxusercontent.com'
28            - 'ghostbin.co'
29            - 'glitch.me'
30            - 'gofile.io'
31            - 'hastebin.com'
32            - 'mediafire.com'
33            - 'mega.nz'
34            - 'onrender.com'
35            - 'pages.dev'
36            - 'paste.ee'
37            - 'pastebin.com'
38            - 'pastebin.pl'
39            - 'pastetext.net'
40            - 'privatlab.com'
41            - 'privatlab.net'
42            - 'send.exploit.in'
43            - 'sendspace.com'
44            - 'storage.googleapis.com'
45            - 'storjshare.io'
46            - 'supabase.co'
47            - 'temp.sh'
48            - 'transfer.sh'
49            - 'trycloudflare.com'
50            - 'ufile.io'
51            - 'w3spaces.com'
52            - 'workers.dev'
53    condition: selection
54falsepositives:
55    - Unknown
56level: high

References

• Internal Research

  
  Read More

• Inside Malicious Windows Apps for Malware Deployment

  

  Learn how threat actors manipulate Windows to install malicious apps that are trusted by the system, and how to defend against them.

  
  Read More

• Troubleshooting packaging, deployment, and query of Windows apps - Win32 apps

  

  Use these suggestions to troubleshoot problems you experience when packaging, deploying, or querying an app package.

  
  Read More

• BazarLoader ‘call me back’ attack abuses Windows 10 Apps mechanism

  

  The unusual technique invokes the Windows App Installer to deliver malware

  
  Read More

Related rules

• Suspicious Download From File-Sharing Website Via Bitsadmin
• Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
• Driver Added To Disallowed Images In HVCI - Registry
• Hidden Flag Set On File/Directory Via Chflags - MacOS
• Diskshadow Script Mode - Execution From Potential Suspicious Location