Uncommon AppX Package Locations
Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations
Sigma rule (View on GitHub)
1title: Uncommon AppX Package Locations
2id: c977cb50-3dff-4a9f-b873-9290f56132f1
3status: test
4description: Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations
5references:
6 - Internal Research
7 - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
8 - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
9 - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023-01-11
12modified: 2024-12-25
13tags:
14 - attack.defense-evasion
15logsource:
16 product: windows
17 service: appxdeployment-server
18detection:
19 selection:
20 EventID: 854
21 filter_main_generic:
22 Path|contains:
23 # Paths can be written using forward slash if the "file://" protocol is used
24 - 'C:\Program Files\WindowsApps\'
25 - 'C:\Program Files (x86)\'
26 - 'C:\Windows\SystemApps\'
27 - 'C:\Windows\PrintDialog\'
28 - 'C:\Windows\ImmersiveControlPanel\'
29 - 'x-windowsupdate://'
30 - 'file:///C:/Program%20Files' # Also covers 'file:///C:/Program%20Files%20(x86)/'
31 filter_main_specific:
32 Path|contains:
33 - 'https://statics.teams.cdn.live.net/'
34 - 'https://statics.teams.cdn.office.net/'
35 - 'microsoft.com' # Example: https://go.microsoft.com/fwlink/?linkid=2160968
36 - 'https://installer.teams.static.microsoft/'
37 condition: selection and not 1 of filter_main_*
38falsepositives:
39 - Unknown
40level: medium
References
Related rules
- BITS Transfer Job With Uncommon Or Suspicious Remote TLD
- Suspicious Windows Service Tampering
- Lummac Stealer Activity - Execution Of More.com And Vbc.exe
- Potential Secure Deletion with SDelete
- NetNTLM Downgrade Attack - Registry