Appx Deployment

Date: 2025-08-07 ID: cc912623-efc9-11eb-926b-550bf0943f12 Author: Michael Haag, Splunk Environment: attack_range Directory: appx_deployment

Description

Windows Appx Deployment Server logs

ID	Technique	Tactic
T1204.002	Malicious File	Execution

The following datasets were collected during this attack simulation:

Path: /datasets/attack_techniques/T1204.002/appx/windows_appxdeploymentserver.log
Sourcetype: XmlWinEventLog
Source: XmlWinEventLog:Microsoft-Windows-AppXDeployment-Server

Path: /datasets/attack_techniques/T1204.002/appx/windows-appxpackaging.log
Sourcetype: XmlWinEventLog
Source: XmlWinEventLog:Microsoft-Windows-AppxPackagingOM

The following detections in our security content repository use this attack data for testing:

Detection Name	Type	Source	MITRE ATT&CK	Analytic Story
Windows MSIX Package Interaction	`Hunting`	Endpoint	T1204.002	MSIX Package Abuse
Windows AppX Deployment Full Trust Package Installation	`Hunting`	Endpoint	T1553.005, T1204.002	MSIX Package Abuse
Windows Developer-Signed MSIX Package Installation	`Anomaly`	Endpoint	T1553.005, T1204.002	MSIX Package Abuse
Windows AppX Deployment Package Installation Success	`Anomaly`	Endpoint	T1204.002	MSIX Package Abuse
Windows AppX Deployment Unsigned Package Installation	`TTP`	Endpoint	T1553.005, T1204.002	MSIX Package Abuse

Replay attack data with replay.py from Splunk Attack Data.

1python replay.py --dataset /datasets/attack_techniques/T1204.002/appx/windows_appxdeploymentserver.log --index attack_data

Find more detections and analytics for this attack technique in our security content repository.

Source: GitHub | Version: 1.0