LoFP / legitimate software development and testing activities may trigger this detection. internal application development teams testing msix packages before signing or system administrators installing custom unsigned applications for business purposes may use the -allowunsigned parameter. note that the -allowunsigned flag is only available on windows 11 and later versions. verify if the package installation is expected in your environment and if the calling process and user are authorized to install unsigned packages.

Techniques

• T1204.002
• T1553.005

Sample rules

Windows AppX Deployment Unsigned Package Installation

• source: splunk
• technicques:
  • T1553.005
  • T1204.002

Description

The following analytic detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter. This detection leverages Windows event logs from the AppXDeployment-Server, specifically focusing on EventID 603 which indicates the start of a deployment operation with specific deployment flags. The flag value 8388608 corresponds to the -AllowUnsigned option in PowerShell’s Add-AppxPackage cmdlet. This activity is significant as adversaries have been observed leveraging unsigned MSIX packages to deliver malware, bypassing signature verification that would normally protect users from malicious packages. If confirmed malicious, this could allow attackers to execute arbitrary code, establish persistence, or deliver malware while evading traditional detection mechanisms.

Detection logic

`wineventlog_appxdeploymentserver` EventCode=603 Flags="8388608" 
| stats count min(_time) as firstTime max(_time) as lastTime values(Path) as file_name values(CallingProcess) as CallingProcess by dvc EventCode Flags user_id 
| rename dvc as dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_appx_deployment_unsigned_package_installation_filter`