security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
blue-team-tools/rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml
T
Nasreddine Bencherchali 67ea98a6db feat: more updates and fixes
2023-01-12 01:05:48 +01:00

25 lines
811 B
YAML
Raw Blame History

title: AppX Package Installation Attempts Via AppInstaller
id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a
status: test
description: AppInstaller.exe is spawned by the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL
references:
- https://twitter.com/notwhickey/status/1333900137232523264
- https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/
author: frack113
date: 2021/11/24
modified: 2023/01/12
tags:
- attack.command_and_control
- attack.t1105
logsource:
product: windows
category: dns_query
detection:
selection:
Image|startswith: 'C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_'
Image|endswith: '\AppInstaller.exe'
condition: selection
falsepositives:
- Unknown
level: medium
Reference in New Issue View Git Blame Copy Permalink