EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

AppX Located in Uncommon Directory Added to Deployment Pipeline

Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in uncommon locations.

Detection Query

selection:
  EventID: 854
filter_main_generic:
  Path|contains:
    - :/Program%20Files
    - :/Windows/System32/
    - :\Program Files (x86)\
    - :\Program Files\
    - :\Windows\ImmersiveControlPanel\
    - :\Windows\PrintDialog\
    - :\Windows\SystemApps\
    - AppData/Local/Temp/WinGet/Microsoft.Winget.Source
    - x-windowsupdate://
filter_main_specific:
  Path|contains:
    - https://installer.teams.static.microsoft/
    - https://res.cdn.office.net
    - https://statics.teams.cdn.live.net/
    - https://statics.teams.cdn.office.net/
    - microsoft.com
filter_optional_onedrive:
  Path|contains: AppData\Local\Microsoft\OneDrive\
filter_optional_winget:
  Path|contains:
    - AppData/Local/Temp/WinGet/Microsoft.Winget.Source
    - AppData\Local\Temp\WinGet\Microsoft.Winget.Source
filter_optional_x_windowsupdate:
  Path|contains: x-windowsupdate://
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2023-01-11

Data Sources

windowsappxdeployment-server

Platforms

windows

References

Tags

attack.defense-evasion
Raw Content
title: AppX Located in Uncommon Directory Added to Deployment Pipeline
id: c977cb50-3dff-4a9f-b873-9290f56132f1
status: test
description: |
    Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in uncommon locations.
references:
    - Internal Research
    - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
    - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting
    - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-11
modified: 2025-12-03
tags:
    - attack.defense-evasion
logsource:
    product: windows
    service: appxdeployment-server
detection:
    selection:
        EventID: 854
    filter_main_generic:
        Path|contains:
            # Paths can be written using forward slash if the "file://" protocol is used
            - ':/Program%20Files' # Also covers 'file:///C:/Program%20Files%20(x86)/'
            - ':/Windows/System32/'
            - ':\Program Files (x86)\'
            - ':\Program Files\'
            - ':\Windows\ImmersiveControlPanel\'
            - ':\Windows\PrintDialog\'
            - ':\Windows\SystemApps\'
            - 'AppData/Local/Temp/WinGet/Microsoft.Winget.Source'
            - 'x-windowsupdate://'
    filter_main_specific:
        Path|contains:
            - 'https://installer.teams.static.microsoft/'
            - 'https://res.cdn.office.net' # Example https://res.cdn.office.net/nativehost/5mttl/installer/v2/1.2025.617.100/Microsoft.OutlookForWindows_x64.msix
            - 'https://statics.teams.cdn.live.net/'
            - 'https://statics.teams.cdn.office.net/'
            - 'microsoft.com' # Example: https://go.microsoft.com/fwlink/?linkid=2160968
    filter_optional_onedrive:
        Path|contains: 'AppData\Local\Microsoft\OneDrive\'
    filter_optional_winget:
        Path|contains:
            - 'AppData/Local/Temp/WinGet/Microsoft.Winget.Source'
            - 'AppData\Local\Temp\WinGet\Microsoft.Winget.Source'
    filter_optional_x_windowsupdate:
        Path|contains: 'x-windowsupdate://'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium