Techniques
Sample rules
Remote AppX Package Downloaded from File Sharing or CDN Domain
- source: sigma
- technicques:
Description
Detects an appx package that was added to the pipeline of the “to be processed” packages which was downloaded from a file sharing or CDN domain.
Detection logic
condition: selection
selection:
EventID: 854
Path|contains:
- .githubusercontent.com
- anonfiles.com
- cdn.discordapp.com
- ddns.net
- dl.dropboxusercontent.com
- ghostbin.co
- github.com
- glitch.me
- gofile.io
- hastebin.com
- mediafire.com
- mega.nz
- onrender.com
- pages.dev
- paste.ee
- pastebin.com
- pastebin.pl
- pastetext.net
- privatlab.com
- privatlab.net
- send.exploit.in
- sendspace.com
- storage.googleapis.com
- storjshare.io
- supabase.co
- temp.sh
- transfer.sh
- trycloudflare.com
- ufile.io
- w3spaces.com
- workers.dev