Uncommon AppX Package Locations

 1title: Uncommon AppX Package Locations
 2id: c977cb50-3dff-4a9f-b873-9290f56132f1
 3status: test
 4description: Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations
 5references:
 6    - Internal Research
 7    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
 8    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
 9    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-01-11
12modified: 2025-10-07
13tags:
14    - attack.defense-evasion
15logsource:
16    product: windows
17    service: appxdeployment-server
18detection:
19    selection:
20        EventID: 854
21    filter_main_generic:
22        Path|contains:
23            # Paths can be written using forward slash if the "file://" protocol is used
24            - 'C:\Program Files\WindowsApps\'
25            - 'C:\Program Files (x86)\'
26            - 'C:\Windows\SystemApps\'
27            - 'C:\Windows\PrintDialog\'
28            - 'C:\Windows\ImmersiveControlPanel\'
29            - 'x-windowsupdate://'
30            - 'file:///C:/Program%20Files' # Also covers 'file:///C:/Program%20Files%20(x86)/'
31            - 'AppData/Local/Temp/WinGet/Microsoft.Winget.Source'
32    filter_main_specific:
33        Path|contains:
34            - 'https://statics.teams.cdn.live.net/'
35            - 'https://statics.teams.cdn.office.net/'
36            - 'microsoft.com' # Example: https://go.microsoft.com/fwlink/?linkid=2160968
37            - 'https://installer.teams.static.microsoft/'
38    filter_optional_onedrive:
39        Path|contains: 'AppData\Local\Microsoft\OneDrive\'
40    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
41falsepositives:
42    - Unknown
43level: medium

References

• Internal Research

  
  Read More

• Inside Malicious Windows Apps for Malware Deployment

  

  Learn how threat actors manipulate Windows to install malicious apps that are trusted by the system, and how to defend against them.

  
  Read More

• Troubleshooting packaging, deployment, and query of Windows apps - Win32 apps

  

  Use these suggestions to troubleshoot problems you experience when packaging, deploying, or querying an app package.

  
  Read More

• BazarLoader ‘call me back’ attack abuses Windows 10 Apps mechanism

  

  The unusual technique invokes the Windows App Installer to deliver malware

  
  Read More

Related rules

• Amsi.DLL Loaded Via LOLBIN Process
• Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
• Delete Defender Scan ShellEx Context Menu Registry Key
• Files With System Process Name In Unsuspected Locations
• Filter Driver Unloaded Via Fltmc.EXE