Detection rules › Splunk
Windows AppX Deployment Unsigned Package Installation
The following analytic detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter. This detection leverages Windows event logs from the AppXDeployment-Server, specifically focusing on EventID 603 which indicates the start of a deployment operation with specific deployment flags. The flag value 8388608 corresponds to the -AllowUnsigned option in PowerShell's Add-AppxPackage cmdlet. This activity is significant as adversaries have been observed leveraging unsigned MSIX packages to deliver malware, bypassing signature verification that would normally protect users from malicious packages. If confirmed malicious, this could allow attackers to execute arbitrary code, establish persistence, or deliver malware while evading traditional detection mechanisms.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1204.002 User Execution: Malicious File |
| Defense Evasion | T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| AppXDeployment-Server | 855 | Finished resolving action lists. |
Stages and Predicates
Stage 1: search
search EventCode=603 Flags="8388608"
Stage 2: stats
stats BY dvc, EventCode, Flags, user_id
Stage 3: rename
rename
Stage 4: search
search
Stage 5: search
search
Stage 6: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Flags | eq |
|