Suspicious AppX Package Locations
Detects an appx package added the pipeline of the "to be processed" packages which is located in suspicious locations
Sigma rule (View on GitHub)
1title: Suspicious AppX Package Locations
2id: 5cdeaf3d-1489-477c-95ab-c318559fc051
3status: test
4description: Detects an appx package added the pipeline of the "to be processed" packages which is located in suspicious locations
5references:
6 - Internal Research
7 - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
8 - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
9 - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-01-11
12tags:
13 - attack.defense-evasion
14logsource:
15 product: windows
16 service: appxdeployment-server
17detection:
18 selection:
19 EventID: 854
20 Path|contains:
21 # Paths can be written using forward slash if the "file://" protocol is used
22 - 'C:\Users\Public\'
23 - '/users/public/'
24 - 'C:\PerfLogs\'
25 - 'C:/perflogs/'
26 - '\Desktop\'
27 - '/desktop/'
28 - '\Downloads\'
29 - '/Downloads/'
30 - 'C:\Windows\Temp\'
31 - 'C:/Windows/Temp/'
32 - '\AppdData\Local\Temp\'
33 - '/AppdData/Local/Temp/'
34 condition: selection
35falsepositives:
36 - Unknown
37level: high
References
-
Learn how threat actors manipulate Windows to install malicious apps that are trusted by the system, and how to defend against them.
Read More -
Use these suggestions to troubleshoot problems you experience when packaging, deploying, or querying an app package.
Read More -
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity