Detection rules › Splunk
Windows Developer-Signed MSIX Package Installation
This detection identifies the installation of developer-signed MSIX packages that lack Microsoft Store signatures. All malicious MSIX packages observed in recent threat campaigns (including those from FIN7, Zloader/Storm-0569, and FakeBat/Storm-1113) were developer-signed rather than Microsoft Store signed. Microsoft Store apps have specific publisher IDs containing '8wekyb3d8bbwe' or 'cw5n1h2txyewy', while developer-signed packages lack these identifiers. This detection focuses on EventID 855 from the Microsoft-Windows-AppXDeployment-Server/Operational logs, which indicates a completed package installation.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1204.002 User Execution: Malicious File |
| Defense Evasion | T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| AppXDeployment-Server | 855 | Finished resolving action lists. |
Stages and Predicates
Stage 1: search
search NOT PackageMoniker IN ("*8wekyb3d8bbwe*", "*cw5n1h2txyewy*") EventCode=855
Stage 2: stats
stats BY dvc, EventCode, user_id
Stage 3: rename
rename
Stage 4: search
search
Stage 5: search
search
Stage 6: search
search `macro`
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | PackageMoniker | in | "*8wekyb3d8bbwe*", "*cw5n1h2txyewy*" |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|