← Back to Explore
sigmamediumHunting
Windows AppX Deployment Unsigned Package Installation
Detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter via AppXDeployment-Server events
Detection Query
selection:
EventID: 603
Flags: "8388608"
condition: selection
Author
Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)
Created
2025-11-03
Data Sources
windowsappxdeployment-server
Platforms
windows
References
Tags
attack.defense-evasionattack.executionattack.t1204.002attack.t1553.005
Raw Content
title: Windows AppX Deployment Unsigned Package Installation
id: 9a025188-6f2d-42f8-bb2f-d3a83d24a5af
related:
- id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a
type: similar
- id: 975b2262-9a49-439d-92a6-0709cccdf0b2
type: similar
status: experimental
description: Detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter via AppXDeployment-Server events
references:
- https://docs.microsoft.com/en-us/powershell/module/appx/add-appxpackage
- https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html
author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-03
tags:
- attack.defense-evasion
- attack.execution
- attack.t1204.002
- attack.t1553.005
logsource:
product: windows
service: appxdeployment-server
detection:
selection:
EventID: 603
Flags: '8388608'
condition: selection
falsepositives:
- Legitimate installation of unsigned packages for legitimate purposes such as development or testing
level: medium