Potential File Download Via MS-AppInstaller Protocol Handler
Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache<RANDOM-8-CHAR-DIRECTORY>"
Sigma rule (View on GitHub)
1title: Potential File Download Via MS-AppInstaller Protocol Handler
2id: 180c7c5c-d64b-4a63-86e9-68910451bc8b
3related:
4 - id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a
5 type: derived
6status: test
7description: |
8 Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE
9 The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>"
10references:
11 - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/
12author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
13date: 2023-11-09
14tags:
15 - attack.defense-evasion
16 - attack.execution
17 - attack.t1218
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 CommandLine|contains|all:
24 - 'ms-appinstaller://?source='
25 - 'http'
26 condition: selection
27falsepositives:
28 - Unknown
29level: medium
References
-
AppInstaller.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- Arbitrary File Download Via IMEWDBLD.EXE
- Arbitrary File Download Via MSEDGE_PROXY.EXE
- Arbitrary File Download Via Squirrel.EXE
- Process Proxy Execution Via Squirrel.EXE
- Potentially Suspicious Child Process Of VsCode