Uncommon AppX Package Locations

calendar Dec 1, 2023 · attack.defense_evasion  ·
Share on: linkedin copy

Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations

Sigma rule (View on GitHub)

 1title: Uncommon AppX Package Locations
 2id: c977cb50-3dff-4a9f-b873-9290f56132f1
 3status: test
 4description: Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations
 5references:
 6    - Internal Research
 7    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
 8    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
 9    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023/01/11
12tags:
13    - attack.defense_evasion
14logsource:
15    product: windows
16    service: appxdeployment-server
17detection:
18    selection:
19        EventID: 854
20    filter_generic:
21        Path|contains:
22            # Paths can be written using forward slash if the "file://" protocol is used
23            - 'C:\Program Files\WindowsApps\'
24            - 'C:\Program Files (x86)\'
25            - 'C:\Windows\SystemApps\'
26            - 'C:\Windows\PrintDialog\'
27            - 'C:\Windows\ImmersiveControlPanel\'
28            - 'x-windowsupdate://'
29            - 'file:///C:/Program%20Files' # Also covers 'file:///C:/Program%20Files%20(x86)/'
30    filter_specific:
31        Path|contains:
32            - 'https://statics.teams.cdn.office.net/'
33            - 'microsoft.com' # Example: https://go.microsoft.com/fwlink/?linkid=2160968
34    condition: selection and not 1 of filter_*
35falsepositives:
36    - Unknown
37level: medium

References

Related rules

to-top