Query Details
Detect Unsigned Or Dev Signed Appx Package Installation
Query
# *Detect Unsigned or DevSigned Appx Package Installation*
## Query Information
#### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
| --- | --- | --- |
| T1059.001 | Powershell | https://attack.mitre.org/techniques/T1562/001/ |
| T1204.002 | User Execution: Malicious File | https://attack.mitre.org/techniques/T1204/002/ |
#### Description
This KQL query is designed to detect the Installation of unsigned oder Developer Signed Appx/MSIX Packages
#### Risk
Detection of no-defender-loader
#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**
#### References
- https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html
## Defender XDR
```KQL
let SuspiciousAppxInstalls =
DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("Add-AppxPackage", "Add-AppPackage", ".appx", ".msix")
| where ProcessCommandLine !contains "8wekyb3d8bbwe"
| where ProcessCommandLine !contains "cw5n1h2txyewy"
| project ProcessTimestamp = Timestamp, DeviceId, DeviceName, ProcessAccountName = AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine;
let DevSignedAppxPackageInstallation = DeviceEvents
| where AdditionalFields has "EventID=855"
| join kind=inner (
SuspiciousAppxInstalls
) on DeviceId
| where abs(datetime_diff('second', Timestamp, ProcessTimestamp)) <= 300
| project Timestamp, ProcessTimestamp, DeviceName, ActionType, ProcessAccountName, ProcessCommandLine, FileName, FolderPath, AdditionalFields
| sort by Timestamp desc;
let AppXUnsignedInstallation = DeviceEvents
| where AdditionalFields has "EventID=603"
| extend Flags = parse_json(AdditionalFields).Flags
| where Flags == "8388608";
DevSignedAppxPackageInstallation
| union (AppXUnsignedInstallation)
```
Explanation
This KQL query is designed to detect potentially suspicious installations of Appx or MSIX packages on devices. It focuses on identifying installations that are either unsigned or signed by developers, which could indicate malicious activity. Here's a simplified breakdown of what the query does:
-
Identify Suspicious Installations:
- It looks for processes running PowerShell (
powershell.exeorpwsh.exe) that execute commands related to installing Appx or MSIX packages (e.g.,Add-AppxPackage,Add-AppPackage). - It filters out known safe installations by excluding certain identifiers in the command line (
8wekyb3d8bbweandcw5n1h2txyewy).
- It looks for processes running PowerShell (
-
Detect Developer-Signed Packages:
- It checks for events with a specific ID (
EventID=855) that indicate developer-signed package installations. - It matches these events with the previously identified suspicious installations if they occur within a 5-minute window.
- It checks for events with a specific ID (
-
Detect Unsigned Packages:
- It looks for events with another specific ID (
EventID=603) and checks if they have a particular flag (Flags == "8388608") indicating an unsigned package installation.
- It looks for events with another specific ID (
-
Combine Results:
- The query combines the results of developer-signed and unsigned package detections to provide a comprehensive view of potentially risky installations.
Overall, this query helps security teams monitor and identify potentially malicious software installations that could bypass traditional security measures.
Details
Benjamin Zulliger
Released: October 23, 2025
Tables
DeviceProcessEventsDeviceEvents
Keywords
DeviceProcessEventsDeviceEventsFileNameProcessCommandLineDeviceIdDeviceNameProcessAccountNameInitiatingProcessFileNameInitiatingProcessCommandLineActionTypeFolderPathAdditionalFieldsTimestampFlags
Operators
letin~has_any!containsprojectjoinonabsdatetime_diff<=sort byextendparse_json==union