AppX Package Installation Attempts Via AppInstaller.EXE
Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL
Sigma rule (View on GitHub)
1title: AppX Package Installation Attempts Via AppInstaller.EXE
2id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a
3related:
4 - id: 180c7c5c-d64b-4a63-86e9-68910451bc8b
5 type: derived
6status: test
7description: |
8 Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL
9references:
10 - https://twitter.com/notwhickey/status/1333900137232523264
11 - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/
12author: frack113
13date: 2021/11/24
14modified: 2023/11/09
15tags:
16 - attack.command_and_control
17 - attack.t1105
18logsource:
19 product: windows
20 category: dns_query
21detection:
22 selection:
23 Image|startswith: 'C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_'
24 Image|endswith: '\AppInstaller.exe'
25 condition: selection
26falsepositives:
27 - Unknown
28level: medium
References
-
-
Download: INetCache INetCache downloaders typically store files in a randomly-named folder under %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE, having added [1] or a higher number between the file'...
Read More
Related rules
- File Download And Execution Via IEExec.EXE
- File Download From Browser Process Via Inline URL
- File Download Via Windows Defender MpCmpRun.EXE
- Potential COM Objects Download Cradles Usage - PS Script
- Potential COM Objects Download Cradles Usage - Process Creation