AppX Located in Uncommon Directory Added to Deployment Pipeline

 1title: AppX Located in Uncommon Directory Added to Deployment Pipeline
 2id: c977cb50-3dff-4a9f-b873-9290f56132f1
 3status: test
 4description: |
 5        Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in uncommon locations.
 6references:
 7    - Internal Research
 8    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
 9    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
10    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023-01-11
13modified: 2025-12-03
14tags:
15    - attack.defense-evasion
16logsource:
17    product: windows
18    service: appxdeployment-server
19detection:
20    selection:
21        EventID: 854
22    filter_main_generic:
23        Path|contains:
24            # Paths can be written using forward slash if the "file://" protocol is used
25            - ':/Program%20Files' # Also covers 'file:///C:/Program%20Files%20(x86)/'
26            - ':/Windows/System32/'
27            - ':\Program Files (x86)\'
28            - ':\Program Files\'
29            - ':\Windows\ImmersiveControlPanel\'
30            - ':\Windows\PrintDialog\'
31            - ':\Windows\SystemApps\'
32            - 'AppData/Local/Temp/WinGet/Microsoft.Winget.Source'
33            - 'x-windowsupdate://'
34    filter_main_specific:
35        Path|contains:
36            - 'https://installer.teams.static.microsoft/'
37            - 'https://res.cdn.office.net' # Example https://res.cdn.office.net/nativehost/5mttl/installer/v2/1.2025.617.100/Microsoft.OutlookForWindows_x64.msix
38            - 'https://statics.teams.cdn.live.net/'
39            - 'https://statics.teams.cdn.office.net/'
40            - 'microsoft.com' # Example: https://go.microsoft.com/fwlink/?linkid=2160968
41    filter_optional_onedrive:
42        Path|contains: 'AppData\Local\Microsoft\OneDrive\'
43    filter_optional_winget:
44        Path|contains:
45            - 'AppData/Local/Temp/WinGet/Microsoft.Winget.Source'
46            - 'AppData\Local\Temp\WinGet\Microsoft.Winget.Source'
47    filter_optional_x_windowsupdate:
48        Path|contains: 'x-windowsupdate://'
49    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
50falsepositives:
51    - Unknown
52level: medium

References

• Internal Research

  
  Read More

• Inside Malicious Windows Apps for Malware Deployment

  

  Learn how threat actors manipulate Windows to install malicious apps that are trusted by the system, and how to defend against them.

  
  Read More

• Troubleshooting packaging, deployment, and query of Windows apps - Win32 apps

  

  Use these suggestions to troubleshoot problems you experience when packaging, deploying, or querying an app package.

  
  Read More

• https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/

  
  Read More

Related rules

• AppX Located in Known Staging Directory Added to Deployment Pipeline
• AppX Package Deployment Failed Due to Signing Requirements
• Deployment AppX Package Was Blocked By AppLocker
• Deployment Of The AppX Package Was Blocked By The Policy
• Microsoft Malware Protection Engine Crash