Windows AppX Deployment Unsigned Package Installation

name: Windows AppX Deployment Unsigned Package Installation
id: 9b5e7c14-f8d2-4a3b-b1a7-e5c9f2a8d123
version: 3
date: '2026-03-10'
author: Michael Haag, Splunk
status: production
type: TTP
description: The following analytic detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter. This detection leverages Windows event logs from the AppXDeployment-Server, specifically focusing on EventID 603 which indicates the start of a deployment operation with specific deployment flags. The flag value 8388608 corresponds to the -AllowUnsigned option in PowerShell's Add-AppxPackage cmdlet. This activity is significant as adversaries have been observed leveraging unsigned MSIX packages to deliver malware, bypassing signature verification that would normally protect users from malicious packages. If confirmed malicious, this could allow attackers to execute arbitrary code, establish persistence, or deliver malware while evading traditional detection mechanisms.
data_source:
    - Windows Event Log AppXDeployment-Server 855
search: |-
    `wineventlog_appxdeploymentserver` EventCode=603 Flags="8388608"
      | stats count min(_time) as firstTime max(_time) as lastTime values(Path) as file_name values(CallingProcess) as CallingProcess
        BY dvc EventCode Flags
           user_id
      | rename dvc as dest
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `windows_appx_deployment_unsigned_package_installation_filter`
how_to_implement: To implement this search, you need to configure Windows event log collection for the Microsoft-Windows-AppXDeploymentServer/Operational channel. This can be done through Windows Event Forwarding, Splunk Universal Forwarders, or other log collection methods. Ensure that the log collection method preserves the full XML structure of the events. The sourcetype should be set to XmlWinEventLog or WinEventLog depending on your environment configuration. This detection specifically looks for EventID 603 with a Flags value of 8388608, which indicates the use of the -AllowUnsigned parameter when installing MSIX packages.
known_false_positives: Legitimate software development and testing activities may trigger this detection. Internal application development teams testing MSIX packages before signing or system administrators installing custom unsigned applications for business purposes may use the -AllowUnsigned parameter. Note that the -AllowUnsigned flag is only available on Windows 11 and later versions. Verify if the package installation is expected in your environment and if the calling process and user are authorized to install unsigned packages.
references:
    - https://learn.microsoft.com/en-us/powershell/module/appx/add-appxpackage
    - https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package
    - https://redcanary.com/blog/threat-intelligence/msix-installers/
    - https://attack.mitre.org/techniques/T1553/005/
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: Look for related PowerShell activity from the same dest
      search: '`powershell` EventCode=4104 dest="$dest$" ScriptBlockText="*Add-AppxPackage*" OR ScriptBlockText="*Add-AppPackage*" | stats count by ScriptBlockText'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: Unsigned MSIX/AppX package $file_name$ installation attempted on $dest$ by user $user_id$ using $CallingProcess$
    risk_objects:
        - field: dest
          type: system
          score: 50
    threat_objects:
        - field: file_name
          type: file_name
tags:
    analytic_story:
        - MSIX Package Abuse
    asset_type: Endpoint
    mitre_attack_id:
        - T1553.005
        - T1204.002
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
    cve: []
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.002/appx/windows_appxdeploymentserver.log
          sourcetype: XmlWinEventLog
          source: XmlWinEventLog:Microsoft-Windows-AppXDeploymentServer/Operational