Windows AppX Deployment Unsigned Package Installation

 1title: Windows AppX Deployment Unsigned Package Installation
 2id: 9a025188-6f2d-42f8-bb2f-d3a83d24a5af
 3related:
 4    - id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a
 5      type: similar
 6    - id: 975b2262-9a49-439d-92a6-0709cccdf0b2
 7      type: similar
 8status: experimental
 9description: Detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter via AppXDeployment-Server events
10references:
11    - https://docs.microsoft.com/en-us/powershell/module/appx/add-appxpackage
12    - https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html
13author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)
14date: 2025-11-03
15tags:
16    - attack.defense-evasion
17    - attack.execution
18    - attack.t1204.002
19    - attack.t1553.005
20logsource:
21    product: windows
22    service: appxdeployment-server
23detection:
24    selection:
25        EventID: 603
26        Flags: '8388608'
27    condition: selection
28falsepositives:
29    - Legitimate installation of unsigned packages for legitimate purposes such as development or testing
30level: medium

References

• Add-AppxPackage (Appx)

  

  Adds a signed app package to a user account.

  
  Read More

• The Lost Payload: MSIX Resurrection | Splunk

  

  Threat actors weaponize MSIX for malware delivery – learn about MSIX attacks, distribution, and how Splunk's MSIXBuilder helps security teams test detection safely.

  
  Read More

Related rules

• Windows AppX Deployment Full Trust Package Installation
• Windows MSIX Package Support Framework AI_STUBS Execution
• HackTool - LittleCorporal Generated Maldoc Injection
• MMC Executing Files with Reversed Extensions Using RTLO Abuse
• Suspicious Microsoft Office Child Process