AppX Located in Uncommon Directory Added to Deployment Pipeline

 1title: AppX Located in Uncommon Directory Added to Deployment Pipeline
 2id: c977cb50-3dff-4a9f-b873-9290f56132f1
 3status: test
 4description: |
 5        Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in uncommon locations.
 6references:
 7    - Internal Research
 8    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
 9    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
10    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023-01-11
13modified: 2025-12-03
14tags:
15    - attack.stealth
16logsource:
17    product: windows
18    service: appxdeployment-server
19detection:
20    selection:
21        EventID: 854
22    filter_main_generic:
23        Path|contains:
24            # Paths can be written using forward slash if the "file://" protocol is used
25            - ':/Program%20Files' # Also covers 'file:///C:/Program%20Files%20(x86)/'
26            - ':/Windows/System32/'
27            - ':\Program Files (x86)\'
28            - ':\Program Files\'
29            - ':\Windows\ImmersiveControlPanel\'
30            - ':\Windows\PrintDialog\'
31            - ':\Windows\SystemApps\'
32            - 'AppData/Local/Temp/WinGet/Microsoft.Winget.Source'
33            - 'x-windowsupdate://'
34    filter_main_specific:
35        Path|contains:
36            - 'https://installer.teams.static.microsoft/'
37            - 'https://res.cdn.office.net' # Example https://res.cdn.office.net/nativehost/5mttl/installer/v2/1.2025.617.100/Microsoft.OutlookForWindows_x64.msix
38            - 'https://statics.teams.cdn.live.net/'
39            - 'https://statics.teams.cdn.office.net/'
40            - 'microsoft.com' # Example: https://go.microsoft.com/fwlink/?linkid=2160968
41    filter_optional_onedrive:
42        Path|contains: 'AppData\Local\Microsoft\OneDrive\'
43    filter_optional_winget:
44        Path|contains:
45            - 'AppData/Local/Temp/WinGet/Microsoft.Winget.Source'
46            - 'AppData\Local\Temp\WinGet\Microsoft.Winget.Source'
47    filter_optional_x_windowsupdate:
48        Path|contains: 'x-windowsupdate://'
49    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
50falsepositives:
51    - Unknown
52level: medium

References

• Internal Research

  
  Read More

• Inside Malicious Windows Apps for Malware Deployment

  

  Learn how threat actors manipulate Windows to install malicious apps that are trusted by the system, and how to defend against them.

  
  Read More

• Troubleshooting packaging, deployment, and query of Windows apps - Win32 apps

  

  Use these suggestions to troubleshoot problems you experience when packaging, deploying, or querying an app package.

  
  Read More

• https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/

  
  Read More

Related rules

• .RDP File Created By Uncommon Application
• ADS Zone.Identifier Deleted By Uncommon Application
• APT PRIVATELOG Image Load Pattern
• APT27 - Emissary Panda Activity
• APT29 2018 Phishing Campaign CommandLine Indicators