Uncommon AppX Package Locations

 1title: Uncommon AppX Package Locations
 2id: c977cb50-3dff-4a9f-b873-9290f56132f1
 3status: test
 4description: Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations
 5references:
 6    - Internal Research
 7    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
 8    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
 9    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-01-11
12modified: 2025-12-03
13tags:
14    - attack.defense-evasion
15logsource:
16    product: windows
17    service: appxdeployment-server
18detection:
19    selection:
20        EventID: 854
21    filter_main_generic:
22        Path|contains:
23            # Paths can be written using forward slash if the "file://" protocol is used
24            - 'C:\Program Files (x86)\'
25            - 'C:\Program Files\'
26            - 'C:\Program Files\WindowsApps\'
27            - 'C:\Windows\ImmersiveControlPanel\'
28            - 'C:\Windows\PrintDialog\'
29            - 'C:\Windows\SystemApps\'
30            - 'file:///C:/Program%20Files/'
31            - 'file:///C:/Program%20Files%20(x86)/'
32            - 'file:///C:/Windows/System32/'
33    filter_main_specific:
34        Path|contains:
35            - 'https://statics.teams.cdn.live.net/'
36            - 'https://statics.teams.cdn.office.net/'
37            - 'microsoft.com' # Example: https://go.microsoft.com/fwlink/?linkid=2160968
38            - 'https://installer.teams.static.microsoft/'
39            - 'https://res.cdn.office.net' # Example https://res.cdn.office.net/nativehost/5mttl/installer/v2/1.2025.617.100/Microsoft.OutlookForWindows_x64.msix
40    filter_optional_onedrive:
41        Path|contains: 'AppData\Local\Microsoft\OneDrive\'
42    filter_optional_winget:
43        Path|contains:
44            - 'AppData/Local/Temp/WinGet/Microsoft.Winget.Source'
45            - 'AppData\Local\Temp\WinGet\Microsoft.Winget.Source'
46    filter_optional_x_windowsupdate:
47        Path|contains: 'x-windowsupdate://'
48    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
49falsepositives:
50    - Unknown
51level: medium

References

• Internal Research

  
  Read More

• Inside Malicious Windows Apps for Malware Deployment

  

  Learn how threat actors manipulate Windows to install malicious apps that are trusted by the system, and how to defend against them.

  
  Read More

• Troubleshooting packaging, deployment, and query of Windows apps - Win32 apps

  

  Use these suggestions to troubleshoot problems you experience when packaging, deploying, or querying an app package.

  
  Read More

• BazarLoader ‘call me back’ attack abuses Windows 10 Apps mechanism

  

  The unusual technique invokes the Windows App Installer to deliver malware

  
  Read More

Related rules

• Creation of WerFault.exe/Wer.dll in Unusual Folder
• Files With System Process Name In Unsuspected Locations
• Potential Defense Evasion Via Raw Disk Access By Uncommon Tools
• Potential System DLL Sideloading From Non System Locations
• Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load