Uncommon AppX Package Locations
Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations
Sigma rule (View on GitHub)
1title: Uncommon AppX Package Locations
2id: c977cb50-3dff-4a9f-b873-9290f56132f1
3status: test
4description: Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations
5references:
6 - Internal Research
7 - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
8 - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
9 - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2023/01/11
12tags:
13 - attack.defense_evasion
14logsource:
15 product: windows
16 service: appxdeployment-server
17detection:
18 selection:
19 EventID: 854
20 filter_generic:
21 Path|contains:
22 # Paths can be written using forward slash if the "file://" protocol is used
23 - 'C:\Program Files\WindowsApps\'
24 - 'C:\Program Files (x86)\'
25 - 'C:\Windows\SystemApps\'
26 - 'C:\Windows\PrintDialog\'
27 - 'C:\Windows\ImmersiveControlPanel\'
28 - 'x-windowsupdate://'
29 - 'file:///C:/Program%20Files' # Also covers 'file:///C:/Program%20Files%20(x86)/'
30 filter_specific:
31 Path|contains:
32 - 'https://statics.teams.cdn.office.net/'
33 - 'microsoft.com' # Example: https://go.microsoft.com/fwlink/?linkid=2160968
34 condition: selection and not 1 of filter_*
35falsepositives:
36 - Unknown
37level: medium
References
Related rules
- Atbroker Registry Change
- Cisco BGP Authentication Failures
- Cisco LDP Authentication Failures
- Deployment AppX Package Was Blocked By AppLocker
- Deployment Of The AppX Package Was Blocked By The Policy