AppX Package Installation Attempts Via AppInstaller.EXE
Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL
Sigma rule (View on GitHub)
1title: AppX Package Installation Attempts Via AppInstaller.EXE
2id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a
3related:
4 - id: 180c7c5c-d64b-4a63-86e9-68910451bc8b
5 type: derived
6status: test
7description: |
8 Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL
9references:
10 - https://twitter.com/notwhickey/status/1333900137232523264
11 - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/
12author: frack113
13date: 2021-11-24
14modified: 2023-11-09
15tags:
16 - attack.command-and-control
17 - attack.t1105
18logsource:
19 product: windows
20 category: dns_query
21detection:
22 selection:
23 Image|startswith: 'C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_'
24 Image|endswith: '\AppInstaller.exe'
25 condition: selection
26falsepositives:
27 - Unknown
28level: medium
References
-
AppInstaller.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- Arbitrary File Download Via GfxDownloadWrapper.EXE
- Browser Execution In Headless Mode
- Cisco Stage Data
- Command Line Execution with Suspicious URL and AppData Strings
- Curl Download And Execute Combination