Potential File Download Via MS-AppInstaller Protocol Handler

calendar Nov 14, 2023 · attack.defense_evasion attack.execution attack.t1218  ·
Share on: linkedin copy

Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache<RANDOM-8-CHAR-DIRECTORY>"

Sigma rule (View on GitHub)

 1title: Potential File Download Via MS-AppInstaller Protocol Handler
 2id: 180c7c5c-d64b-4a63-86e9-68910451bc8b
 3related:
 4    - id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a
 5      type: derived
 6status: experimental
 7description: |
 8    Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE
 9    The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>"    
10references:
11    - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/
12author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
13date: 2023/11/09
14tags:
15    - attack.defense_evasion
16    - attack.execution
17    - attack.t1218
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        CommandLine|contains|all:
24            - 'ms-appinstaller://?source='
25            - 'http'
26    condition: selection
27falsepositives:
28    - Unknown
29level: medium

References

  • Appinstaller | LOLBAS

    Download: INetCache INetCache downloaders typically store files in a randomly-named folder under %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE, having added [1] or a higher number between the file'...


    Read More

Related rules

to-top