Uncommon AppX Package Locations

calendar Aug 29, 2024 · attack.defense-evasion  ·
Share on: linkedin copy

Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations

Sigma rule (View on GitHub)

 1title: Uncommon AppX Package Locations
 2id: c977cb50-3dff-4a9f-b873-9290f56132f1
 3status: test
 4description: Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations
 5references:
 6    - Internal Research
 7    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
 8    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
 9    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-01-11
12modified: 2024-08-29
13tags:
14    - attack.defense-evasion
15logsource:
16    product: windows
17    service: appxdeployment-server
18detection:
19    selection:
20        EventID: 854
21    filter_main_generic:
22        Path|contains:
23            # Paths can be written using forward slash if the "file://" protocol is used
24            - 'C:\Program Files\WindowsApps\'
25            - 'C:\Program Files (x86)\'
26            - 'C:\Windows\SystemApps\'
27            - 'C:\Windows\PrintDialog\'
28            - 'C:\Windows\ImmersiveControlPanel\'
29            - 'x-windowsupdate://'
30            - 'file:///C:/Program%20Files' # Also covers 'file:///C:/Program%20Files%20(x86)/'
31    filter_main_specific:
32        Path|contains:
33            - 'https://statics.teams.cdn.live.net/'
34            - 'https://statics.teams.cdn.office.net/'
35            - 'microsoft.com' # Example: https://go.microsoft.com/fwlink/?linkid=2160968
36    condition: selection and not 1 of filter_main_*
37falsepositives:
38    - Unknown
39level: medium

References

Related rules

to-top