Detect Unsigned Or Dev Signed Appx Package Installation
Query
let SuspiciousAppxInstalls =
DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("Add-AppxPackage", "Add-AppPackage", ".appx", ".msix")
| where ProcessCommandLine !contains "8wekyb3d8bbwe"
| where ProcessCommandLine !contains "cw5n1h2txyewy"
| project ProcessTimestamp = Timestamp, DeviceId, DeviceName, ProcessAccountName = AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine;
let DevSignedAppxPackageInstallation = DeviceEvents
| where AdditionalFields has "EventID=855"
| join kind=inner (
SuspiciousAppxInstalls
) on DeviceId
| where abs(datetime_diff('second', Timestamp, ProcessTimestamp)) <= 300
| project Timestamp, ProcessTimestamp, DeviceName, ActionType, ProcessAccountName, ProcessCommandLine, FileName, FolderPath, AdditionalFields
| sort by Timestamp desc;
let AppXUnsignedInstallation = DeviceEvents
| where AdditionalFields has "EventID=603"
| extend Flags = parse_json(AdditionalFields).Flags
| where Flags == "8388608";
DevSignedAppxPackageInstallation
| union (AppXUnsignedInstallation)About this query
Detect Unsigned or DevSigned Appx Package Installation
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1059.001 | Powershell | https://attack.mitre.org/techniques/T1562/001/ |
| T1204.002 | User Execution: Malicious File | https://attack.mitre.org/techniques/T1204/002/ |
Description
This KQL query is designed to detect the Installation of unsigned oder Developer Signed Appx/MSIX Packages
Risk
Detection of no-defender-loader
Author <Optional>
- Name: Benjamin Zulliger
- Github: https://github.com/benscha/KQLAdvancedHunting
- LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/
References
Defender XDR
Explanation
This KQL query is designed to detect potentially suspicious installations of Appx or MSIX packages on devices. It focuses on identifying installations that are either unsigned or signed by developers, which could indicate malicious activity. Here's a simplified breakdown of what the query does:
-
Identify Suspicious Installations:
- It looks for processes running PowerShell (
powershell.exeorpwsh.exe) that execute commands related to installing Appx or MSIX packages (e.g.,Add-AppxPackage,Add-AppPackage). - It filters out known safe installations by excluding certain identifiers in the command line (
8wekyb3d8bbweandcw5n1h2txyewy).
- It looks for processes running PowerShell (
-
Detect Developer-Signed Packages:
- It checks for events with a specific ID (
EventID=855) that indicate developer-signed package installations. - It matches these events with the previously identified suspicious installations if they occur within a 5-minute window.
- It checks for events with a specific ID (
-
Detect Unsigned Packages:
- It looks for events with another specific ID (
EventID=603) and checks if they have a particular flag (Flags == "8388608") indicating an unsigned package installation.
- It looks for events with another specific ID (
-
Combine Results:
- The query combines the results of developer-signed and unsigned package detections to provide a comprehensive view of potentially risky installations.
Overall, this query helps security teams monitor and identify potentially malicious software installations that could bypass traditional security measures.
Details

Benjamin Zulliger
Released: October 23, 2025
Tables
Keywords
Operators