Uncommon AppX Package Locations
Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations
Sigma rule (View on GitHub)
1title: Uncommon AppX Package Locations
2id: c977cb50-3dff-4a9f-b873-9290f56132f1
3status: test
4description: Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations
5references:
6 - Internal Research
7 - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
8 - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
9 - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-01-11
12modified: 2025-10-07
13tags:
14 - attack.defense-evasion
15logsource:
16 product: windows
17 service: appxdeployment-server
18detection:
19 selection:
20 EventID: 854
21 filter_main_generic:
22 Path|contains:
23 # Paths can be written using forward slash if the "file://" protocol is used
24 - 'C:\Program Files\WindowsApps\'
25 - 'C:\Program Files (x86)\'
26 - 'C:\Windows\SystemApps\'
27 - 'C:\Windows\PrintDialog\'
28 - 'C:\Windows\ImmersiveControlPanel\'
29 - 'x-windowsupdate://'
30 - 'file:///C:/Program%20Files' # Also covers 'file:///C:/Program%20Files%20(x86)/'
31 - 'AppData/Local/Temp/WinGet/Microsoft.Winget.Source'
32 filter_main_specific:
33 Path|contains:
34 - 'https://statics.teams.cdn.live.net/'
35 - 'https://statics.teams.cdn.office.net/'
36 - 'microsoft.com' # Example: https://go.microsoft.com/fwlink/?linkid=2160968
37 - 'https://installer.teams.static.microsoft/'
38 filter_optional_onedrive:
39 Path|contains: 'AppData\Local\Microsoft\OneDrive\'
40 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
41falsepositives:
42 - Unknown
43level: medium
References
Related rules
- Amsi.DLL Loaded Via LOLBIN Process
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Delete Defender Scan ShellEx Context Menu Registry Key
- Files With System Process Name In Unsuspected Locations
- Filter Driver Unloaded Via Fltmc.EXE