Detectionmediumtest

AppX Package Installation Attempts Via AppInstaller.EXE

Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Wed Nov 24Updated Thu Nov 097cff77e1-9663-46a3-8260-17f2e1aa9d0awindows

Log Source

WindowsDNS Query

ProductWindows← raw: windows

CategoryDNS Query← raw: dns_query

DNS lookup events generated by endpoint monitoring tools.

Detection Logic

detection:
    selection:
        Image|startswith: 'C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_'
        Image|endswith: '\AppInstaller.exe'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

twitter.com

Resolving title…

lolbas-project.github.io

MITRE ATT&CK

Tactics

TA0011 · Command and Control

Techniques

T1105 · Ingress Tool Transfer

Related Rules

DerivedDetectionmedium

Potential File Download Via MS-AppInstaller Protocol Handler

Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>"

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata

Rule ID

7cff77e1-9663-46a3-8260-17f2e1aa9d0a

Status

test

Level

medium

Type

Detection

Created

Wed Nov 24

Modified

Thu Nov 09

Author

François Hubaut

Path

rules/windows/dns_query/dns_query_win_appinstaller.yml

Raw Tags

attack.command-and-controlattack.t1105

View on GitHub