EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Remote AppX Package Downloaded from File Sharing or CDN Domain

Detects an appx package that was added to the pipeline of the "to be processed" packages which was downloaded from a file sharing or CDN domain.

Detection Query

selection:
  EventID: 854
  Path|contains:
    - .githubusercontent.com
    - anonfiles.com
    - cdn.discordapp.com
    - ddns.net
    - dl.dropboxusercontent.com
    - ghostbin.co
    - github.com
    - glitch.me
    - gofile.io
    - hastebin.com
    - mediafire.com
    - mega.nz
    - onrender.com
    - pages.dev
    - paste.ee
    - pastebin.com
    - pastebin.pl
    - pastetext.net
    - privatlab.com
    - privatlab.net
    - send.exploit.in
    - sendspace.com
    - storage.googleapis.com
    - storjshare.io
    - supabase.co
    - temp.sh
    - transfer.sh
    - trycloudflare.com
    - ufile.io
    - w3spaces.com
    - workers.dev
condition: selection

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2023-01-11

Data Sources

windowsappxdeployment-server

Platforms

windows

References

Tags

attack.defense-evasion
Raw Content
title: Remote AppX Package Downloaded from File Sharing or CDN Domain
id: 8b48ad89-10d8-4382-a546-50588c410f0d
status: test
description: |
    Detects an appx package that was added to the pipeline of the "to be processed" packages which was downloaded from a file sharing or CDN domain.
references:
    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
modified: 2025-12-10
tags:
    - attack.defense-evasion
logsource:
    product: windows
    service: appxdeployment-server
detection:
    selection:
        EventID: 854
        Path|contains:
            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
            - 'anonfiles.com'
            - 'cdn.discordapp.com'
            - 'ddns.net'
            - 'dl.dropboxusercontent.com'
            - 'ghostbin.co'
            - 'github.com'
            - 'glitch.me'
            - 'gofile.io'
            - 'hastebin.com'
            - 'mediafire.com'
            - 'mega.nz'
            - 'onrender.com'
            - 'pages.dev'
            - 'paste.ee'
            - 'pastebin.com'
            - 'pastebin.pl'
            - 'pastetext.net'
            - 'privatlab.com'
            - 'privatlab.net'
            - 'send.exploit.in'
            - 'sendspace.com'
            - 'storage.googleapis.com'
            - 'storjshare.io'
            - 'supabase.co'
            - 'temp.sh'
            - 'transfer.sh'
            - 'trycloudflare.com'
            - 'ufile.io'
            - 'w3spaces.com'
            - 'workers.dev'
    condition: selection
falsepositives:
    - Unlikely, unless the organization uses file sharing or CDN services to distribute internal applications.
level: high