Name:Windows PowerShell MSIX Package Installation id:d2f77901-dbfa-42d9-8af7-dcd0f1a50a2f version:1 date:2025-08-05 author:Michael Haag, Splunk status:production type:TTP Description:The following analytic detects the execution of PowerShell commands to install unsigned AppX packages using Add-AppxPackage or Add-AppPackage cmdlets with the -AllowUnsigned flag. This detection leverages PowerShell Script Block Logging (EventCode=4104) to capture the full command content. This activity is significant as adversaries may use unsigned AppX packages to install malicious applications, bypass security controls, or establish persistence. If confirmed malicious, this could allow attackers to install unauthorized applications that may contain malware, backdoors, or other malicious components. Data_source:
-Powershell Script Block Logging 4104
search:`powershell` EventCode=4104 ScriptBlockText IN("*Add-AppPackage *", "*Add-AppxPackage *") AND ScriptBlockText IN ("* -AllowUnsigned*") | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id user_id vendor_product EventID Guid Opcode Name Path ProcessID ScriptBlockId ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_msix_package_installation_filter` | `windows_powershell_msix_package_installation_filter`
how_to_implement:The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. Ensure PowerShell Script Block Logging is enabled in your environment to capture the full command content. known_false_positives:Installation of unsigned packages for testing purposes by developers or system administrators.
Legitimate software development and testing activities may trigger this detection.
Internal application development teams testing MSIX packages before signing.
System administrators installing custom unsigned applications for business purposes.
Note: The -AllowUnsigned flag is only available on Windows 11 and later versions.
References: -https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package -https://learn.microsoft.com/en-us/windows/msix/desktop/powershell-msix-cmdlets -https://learn.microsoft.com/en-us/powershell/module/appx/add-appxpackage -https://twitter.com/WindowsDocs/status/1620078135080325122 -https://attack.mitre.org/techniques/T1059/001/ -https://attack.mitre.org/techniques/T1547/001/ -https://learn.microsoft.com/en-us/powershell/module/appx/add-appxpackage?view=windowsserver2025-ps drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Malicious PowerShell' - 'MSIX Package Abuse' asset_type:Endpoint mitre_attack_id: - 'T1059.001' - 'T1547.001' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:endpoint cve:
