EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

Windows PowerShell MSIX Package Installation

The following analytic detects the execution of PowerShell commands to install unsigned AppX packages using Add-AppxPackage or Add-AppPackage cmdlets with the -AllowUnsigned flag. This detection leverages PowerShell Script Block Logging (EventCode=4104) to capture the full command content. This activity is significant as adversaries may use unsigned AppX packages to install malicious applications, bypass security controls, or establish persistence. If confirmed malicious, this could allow attackers to install unauthorized applications that may contain malware, backdoors, or other malicious components.

MITRE ATT&CK

T1059.001T1547.001
executionpersistenceprivilege-escalation

Detection Query

`powershell` EventCode=4104 ScriptBlockText IN("*Add-AppPackage *", "*Add-AppxPackage *") AND ScriptBlockText IN ("* -AllowUnsigned*")
  | fillnull
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY dest signature signature_id
       user_id vendor_product EventID
       Guid Opcode Name
       Path ProcessID ScriptBlockId
       ScriptBlockText
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `windows_powershell_msix_package_installation_filter`
  | `windows_powershell_msix_package_installation_filter`

Author

Michael Haag, Splunk

Created

2026-03-10

Data Sources

Powershell Script Block Logging 4104

References

Tags

Malicious PowerShellMSIX Package Abuse
Raw Content
name: Windows PowerShell MSIX Package Installation
id: d2f77901-dbfa-42d9-8af7-dcd0f1a50a2f
version: 4
date: '2026-03-10'
author: Michael Haag, Splunk
status: production
type: TTP
description: The following analytic detects the execution of PowerShell commands to install unsigned AppX packages using Add-AppxPackage or Add-AppPackage cmdlets with the -AllowUnsigned flag. This detection leverages PowerShell Script Block Logging (EventCode=4104) to capture the full command content. This activity is significant as adversaries may use unsigned AppX packages to install malicious applications, bypass security controls, or establish persistence. If confirmed malicious, this could allow attackers to install unauthorized applications that may contain malware, backdoors, or other malicious components.
data_source:
    - Powershell Script Block Logging 4104
search: |-
    `powershell` EventCode=4104 ScriptBlockText IN("*Add-AppPackage *", "*Add-AppxPackage *") AND ScriptBlockText IN ("* -AllowUnsigned*")
      | fillnull
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY dest signature signature_id
           user_id vendor_product EventID
           Guid Opcode Name
           Path ProcessID ScriptBlockId
           ScriptBlockText
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `windows_powershell_msix_package_installation_filter`
      | `windows_powershell_msix_package_installation_filter`
how_to_implement: The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. Ensure PowerShell Script Block Logging is enabled in your environment to capture the full command content.
known_false_positives: |
    Installation of unsigned packages for testing purposes by developers or system administrators.
    Legitimate software development and testing activities may trigger this detection.
    Internal application development teams testing MSIX packages before signing.
    System administrators installing custom unsigned applications for business purposes.
    Note: The -AllowUnsigned flag is only available on Windows 11 and later versions.
references:
    - https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package
    - https://learn.microsoft.com/en-us/windows/msix/desktop/powershell-msix-cmdlets
    - https://learn.microsoft.com/en-us/powershell/module/appx/add-appxpackage
    - https://twitter.com/WindowsDocs/status/1620078135080325122
    - https://attack.mitre.org/techniques/T1059/001/
    - https://attack.mitre.org/techniques/T1547/001/
    - https://learn.microsoft.com/en-us/powershell/module/appx/add-appxpackage?view=windowsserver2025-ps
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: The user $user_id$ attempted to install an unsigned AppX package on $dest$ using PowerShell.
    risk_objects:
        - field: dest
          type: system
          score: 50
    threat_objects:
        - field: ScriptBlockText
          type: command
tags:
    analytic_story:
        - Malicious PowerShell
        - MSIX Package Abuse
    asset_type: Endpoint
    mitre_attack_id:
        - T1059.001
        - T1547.001
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
    cve: []
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.005/msix_unsigned/windows-powershell.log
          source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
          sourcetype: XmlWinEventLog