LoFP / installation of unsigned packages for testing purposes by developers or system administrators. legitimate software development and testing activities may trigger this detection. internal application development teams testing msix packages before signing. system administrators installing custom unsigned applications for business purposes. note: the -allowunsigned flag is only available on windows 11 and later versions.

Techniques

• T1059.001
• T1547.001

Sample rules

Windows PowerShell MSIX Package Installation

• source: splunk
• technicques:
  • T1059.001
  • T1547.001

Description

The following analytic detects the execution of PowerShell commands to install unsigned AppX packages using Add-AppxPackage or Add-AppPackage cmdlets with the -AllowUnsigned flag. This detection leverages PowerShell Script Block Logging (EventCode=4104) to capture the full command content. This activity is significant as adversaries may use unsigned AppX packages to install malicious applications, bypass security controls, or establish persistence. If confirmed malicious, this could allow attackers to install unauthorized applications that may contain malware, backdoors, or other malicious components.

Detection logic

`powershell` EventCode=4104 ScriptBlockText IN("*Add-AppPackage *", "*Add-AppxPackage *") AND ScriptBlockText IN ("* -AllowUnsigned*") 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id user_id vendor_product EventID Guid Opcode Name Path ProcessID ScriptBlockId ScriptBlockText 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_powershell_msix_package_installation_filter` 
| `windows_powershell_msix_package_installation_filter`