Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

AppX Located in Uncommon Directory Added to Deployment Pipeline

Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in uncommon locations.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Wed Jan 11Updated Wed Dec 03c977cb50-3dff-4a9f-b873-9290f56132f1windows
Log Source
Windowsappxdeployment-server
ProductWindows← raw: windows
Serviceappxdeployment-server← raw: appxdeployment-server
Detection Logic
Detection Logic6 selectors
detection:
    selection:
        EventID: 854
    filter_main_generic:
        Path|contains:
            # Paths can be written using forward slash if the "file://" protocol is used
            - ':/Program%20Files' # Also covers 'file:///C:/Program%20Files%20(x86)/'
            - ':/Windows/System32/'
            - ':\Program Files (x86)\'
            - ':\Program Files\'
            - ':\Windows\ImmersiveControlPanel\'
            - ':\Windows\PrintDialog\'
            - ':\Windows\SystemApps\'
            - 'AppData/Local/Temp/WinGet/Microsoft.Winget.Source'
            - 'x-windowsupdate://'
    filter_main_specific:
        Path|contains:
            - 'https://installer.teams.static.microsoft/'
            - 'https://res.cdn.office.net' # Example https://res.cdn.office.net/nativehost/5mttl/installer/v2/1.2025.617.100/Microsoft.OutlookForWindows_x64.msix
            - 'https://statics.teams.cdn.live.net/'
            - 'https://statics.teams.cdn.office.net/'
            - 'microsoft.com' # Example: https://go.microsoft.com/fwlink/?linkid=2160968
    filter_optional_onedrive:
        Path|contains: 'AppData\Local\Microsoft\OneDrive\'
    filter_optional_winget:
        Path|contains:
            - 'AppData/Local/Temp/WinGet/Microsoft.Winget.Source'
            - 'AppData\Local\Temp\WinGet\Microsoft.Winget.Source'
    filter_optional_x_windowsupdate:
        Path|contains: 'x-windowsupdate://'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
Internal Research
2
Resolving title…
sentinelone.com
3
Resolving title…
learn.microsoft.com
4
Resolving title…
news.sophos.com
MITRE ATT&CK
Rule Metadata
Rule ID
c977cb50-3dff-4a9f-b873-9290f56132f1
Status
test
Level
medium
Type
Detection
Created
Wed Jan 11
Modified
Wed Dec 03
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml
Raw Tags
attack.defense-evasion
View on GitHub