This detection rule identifies potential malicious activities associated with the installation of AppX packages via the AppInstaller executable (AppInstaller.exe) on Windows systems. The AppInstaller is by default responsible for handling "ms-appinstaller" URI schemes, used to load and install applications from external sources. The rule focuses on monitoring DNS queries initiated by AppInstaller.exe, particularly when the executable is sourced from the WindowsApps directory, which signifies its legitimate purpose. However, malicious actors may exploit this utility to install unwanted software or malware, hence the need for detection. The enabled alert may help security teams investigate unusual installation behaviors and verify the legitimacy of application installations on their networks, preventing potential command-and-control (C2) communications and unwanted application executions. By analyzing patterns and behaviors associated with DNS queries made by AppInstaller.exe, this rule aims to enhance monitoring efforts and provide early warnings against potential application-based attacks.