Name:Windows AppX Deployment Unsigned Package Installation id:9b5e7c14-f8d2-4a3b-b1a7-e5c9f2a8d123 version:1 date:2025-08-05 author:Michael Haag, Splunk status:production type:TTP Description:The following analytic detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter. This detection leverages Windows event logs from the AppXDeployment-Server, specifically focusing on EventID 603 which indicates the start of a deployment operation with specific deployment flags. The flag value 8388608 corresponds to the -AllowUnsigned option in PowerShell's Add-AppxPackage cmdlet. This activity is significant as adversaries have been observed leveraging unsigned MSIX packages to deliver malware, bypassing signature verification that would normally protect users from malicious packages. If confirmed malicious, this could allow attackers to execute arbitrary code, establish persistence, or deliver malware while evading traditional detection mechanisms. Data_source:
-Windows Event Log AppXDeployment-Server 855
search:`wineventlog_appxdeploymentserver` EventCode=603 Flags="8388608" | stats count min(_time) as firstTime max(_time) as lastTime values(Path) as file_name values(CallingProcess) as CallingProcess by dvc EventCode Flags user_id | rename dvc as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_appx_deployment_unsigned_package_installation_filter`
how_to_implement:To implement this search, you need to configure Windows event log collection for the Microsoft-Windows-AppXDeploymentServer/Operational channel. This can be done through Windows Event Forwarding, Splunk Universal Forwarders, or other log collection methods. Ensure that the log collection method preserves the full XML structure of the events. The sourcetype should be set to XmlWinEventLog or WinEventLog depending on your environment configuration. This detection specifically looks for EventID 603 with a Flags value of 8388608, which indicates the use of the -AllowUnsigned parameter when installing MSIX packages. known_false_positives:Legitimate software development and testing activities may trigger this detection. Internal application development teams testing MSIX packages before signing or system administrators installing custom unsigned applications for business purposes may use the -AllowUnsigned parameter. Note that the -AllowUnsigned flag is only available on Windows 11 and later versions. Verify if the package installation is expected in your environment and if the calling process and user are authorized to install unsigned packages. References: -https://learn.microsoft.com/en-us/powershell/module/appx/add-appxpackage -https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package -https://redcanary.com/blog/threat-intelligence/msix-installers/ -https://attack.mitre.org/techniques/T1553/005/ drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'Look for related PowerShell activity from the same dest' search:'`powershell` EventCode=4104 dest="$dest$" ScriptBlockText="*Add-AppxPackage*" OR ScriptBlockText="*Add-AppPackage*" | stats count by ScriptBlockText' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'MSIX Package Abuse' asset_type:Endpoint mitre_attack_id: - 'T1553.005' - 'T1204.002' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:endpoint cve:
