Uncommon AppX Package Locations

 1title: Uncommon AppX Package Locations
 2id: c977cb50-3dff-4a9f-b873-9290f56132f1
 3status: test
 4description: Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations
 5references:
 6    - Internal Research
 7    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
 8    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
 9    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-01-11
12modified: 2025-10-17
13tags:
14    - attack.defense-evasion
15logsource:
16    product: windows
17    service: appxdeployment-server
18detection:
19    selection:
20        EventID: 854
21    filter_main_generic:
22        Path|contains:
23            # Paths can be written using forward slash if the "file://" protocol is used
24            - 'C:\Program Files\WindowsApps\'
25            - 'C:\Program Files (x86)\'
26            - 'C:\Windows\SystemApps\'
27            - 'C:\Windows\PrintDialog\'
28            - 'C:\Windows\ImmersiveControlPanel\'
29            - 'x-windowsupdate://'
30            - 'file:///C:/Program%20Files' # Also covers 'file:///C:/Program%20Files%20(x86)/'
31            - 'AppData/Local/Temp/WinGet/Microsoft.Winget.Source'
32    filter_main_specific:
33        Path|contains:
34            - 'https://statics.teams.cdn.live.net/'
35            - 'https://statics.teams.cdn.office.net/'
36            - 'microsoft.com' # Example: https://go.microsoft.com/fwlink/?linkid=2160968
37            - 'https://installer.teams.static.microsoft/'
38            - 'https://res.cdn.office.net' # Example https://res.cdn.office.net/nativehost/5mttl/installer/v2/1.2025.617.100/Microsoft.OutlookForWindows_x64.msix
39    filter_optional_onedrive:
40        Path|contains: 'AppData\Local\Microsoft\OneDrive\'
41    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
42falsepositives:
43    - Unknown
44level: medium

References

• Internal Research

  
  Read More

• Inside Malicious Windows Apps for Malware Deployment

  

  Learn how threat actors manipulate Windows to install malicious apps that are trusted by the system, and how to defend against them.

  
  Read More

• Troubleshooting packaging, deployment, and query of Windows apps - Win32 apps

  

  Use these suggestions to troubleshoot problems you experience when packaging, deploying, or querying an app package.

  
  Read More

• BazarLoader ‘call me back’ attack abuses Windows 10 Apps mechanism

  

  The unusual technique invokes the Windows App Installer to deliver malware

  
  Read More

Related rules

• Office Application Initiated Network Connection Over Uncommon Ports
• Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load
• Suspicious Volume Shadow Copy Vssapi.dll Load
• Suspicious Process Suspension via WERFaultSecure through EDR-Freeze
• Program Executed Using Proxy/Local Command Via SSH.EXE