This rule is designed to detect the installation of unsigned MSIX/AppX packages on Windows systems, which can be indicative of an evasion tactic used by threat actors. It focuses on events generated by the AppXDeployment-Server, particularly monitoring for EventID 603 with specific flags set to 8388608. The presence of this event suggests that an attempt to install a package using the -AllowUnsigned parameter has occurred. Unsigned packages pose a security risk as they may bypass traditional security measures and introduce malicious software onto the host system. The rule is still in the experimental phase and should be used with caution due to the potential for false positives, especially from legitimate development activities.