Detectionhightest
AppX Located in Known Staging Directory Added to Deployment Pipeline
Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in a known folder often used as a staging directory.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Wed Jan 115cdeaf3d-1489-477c-95ab-c318559fc051windows
Log Source
Windowsappxdeployment-server
ProductWindows← raw: windows
Serviceappxdeployment-server← raw: appxdeployment-server
Detection Logic
Detection Logic3 selectors
detection:
selection_eid:
EventID: 854
selection_paths_forward:
Path|contains: # Paths can be written using forward slash if the "file://" protocol is used
- ':/Perflogs/'
- ':/Users/Public/'
- ':/Windows/Temp/'
- '/AppdData/Local/Temp/'
- '/Desktop/'
- '/Downloads/'
selection_paths_back:
Path|contains: # Paths can be written using forward slash if the "file://" protocol is used
- ':\PerfLogs\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppdData\Local\Temp\'
- '\Desktop\'
- '\Downloads\'
condition: selection_eid and 1 of selection_paths_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Rule Metadata
Rule ID
5cdeaf3d-1489-477c-95ab-c318559fc051
Status
test
Level
high
Type
Detection
Created
Wed Jan 11
Path
rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_appx_package_in_staging_directory.yml
Raw Tags
attack.defense-evasion