Data Source: Windows Event Log AppXPackaging 171

Date: 2025-08-05

ID: 2d0f8e3c-a2d7-4b9e-8f1c-6a5d7e3e9f2b

Author: Michael Haag, Splunk

Description

This data source captures Windows Event Logs from the Microsoft-Windows-AppXPackaging/Operational channel, specifically focusing on EventCode 171. These events are generated when a user clicks on or attempts to interact with an MSIX package, even if the package is not fully installed.

Event ID 171 provides information about user interactions with MSIX packages, including the package full name and the user who initiated the interaction. This data is valuable for security monitoring as it can help identify what MSIX packages users are attempting to open in an environment, which may help detect malicious MSIX packages before they're fully installed.

MSIX package abuse has been observed in various threat campaigns, including those from FIN7, Zloader (Storm-0569), and FakeBat (Storm-1113). Monitoring these interactions can provide early warning of potential MSIX package abuse.

Details

Property	Value
Source	`XmlWinEventLog:Microsoft-Windows-AppxPackaging/Operational`
Sourcetype	`XmlWinEventLog`
Separator	EventCode

Supported Apps

Splunk Add-on for Microsoft Windows (version 9.0.1)

Event Fields

+ Fields

  <span class="pill kill-chain">CategoryString</span>
  
  <span class="pill kill-chain">Channel</span>
  
  <span class="pill kill-chain">Computer</span>
  
  <span class="pill kill-chain">EventCode</span>
  
  <span class="pill kill-chain">EventData_Xml</span>
  
  <span class="pill kill-chain">EventID</span>
  
  <span class="pill kill-chain">EventRecordID</span>
  
  <span class="pill kill-chain">Keywords</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">Opcode</span>
  
  <span class="pill kill-chain">ProcessID</span>
  
  <span class="pill kill-chain">RecordNumber</span>
  
  <span class="pill kill-chain">SourceName</span>
  
  <span class="pill kill-chain">SystemTime</span>
  
  <span class="pill kill-chain">System_Props_Xml</span>
  
  <span class="pill kill-chain">Task</span>
  
  <span class="pill kill-chain">TaskCategory</span>
  
  <span class="pill kill-chain">ThreadID</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">packageFullName</span>
  
  <span class="pill kill-chain">user_id</span>
  
</div>

Example Log

1<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-AppXPackaging' Guid='{4bfe0fde-99d6-5630-8a47-da7bfaefd876}'/><EventID>171</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x4000000000000000</Keywords><TimeCreated SystemTime='2025-08-05T12:34:56.7890123Z'/><EventRecordID>123456</EventRecordID><Correlation/><Execution ProcessID='1234' ThreadID='5678'/><Channel>Microsoft-Windows-AppXPackaging/Operational</Channel><Computer>DESKTOP-EXAMPLE</Computer><Security UserID='S-1-5-21-1234567890-1234567890-1234567890-1001'/></System><EventData><Data Name='packageFullName'>MaliciousApp_1.0.0.0_x64__abcd1234</Data></EventData></Event>

Source: GitHub | Version: 1