Potential File Download Via MS-AppInstaller Protocol Handler

Rule Info

Name
Potential File Download Via MS-AppInstaller Protocol Handler
Author
Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
Description
Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>"
Date
2023-11-09 00:00:00
Modified
None
Id
180c7c5c-d64b-4a63-86e9-68910451bc8b
Tags
attack.defense-evasion attack.execution attack.t1218
Type
Community Rule

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #5027 from @nasbench - Promote older rules status from `experimental` to `test`
2024-10-01
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
Swachchhanda Shrawan Poudel
Merge PR #4557 from @swachchhanda000 - Multiple Rule Updates & New Rules
2023-11-14