LoFP LoFP / limited false positives should be present as installutil is not typically used to download remote files. filter as needed based on developers requirements.

Techniques

Sample rules

Windows InstallUtil Remote Network Connection

Description

The following analytic detects the Windows InstallUtil.exe binary making a remote network connection. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and network telemetry. This activity is significant because InstallUtil.exe can be exploited to download and execute malicious code, bypassing application control mechanisms. If confirmed malicious, an attacker could achieve code execution, potentially leading to further system compromise, data exfiltration, or lateral movement within the network. Analysts should review the parent process, network connections, and any associated file modifications to determine the legitimacy of this activity.

Detection logic


| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_installutil` by _time span=1h  Processes.process_id Processes.process_name Processes.dest Processes.user Processes.process_path Processes.process Processes.parent_process_name Processes.original_file_name 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| join  process_id [
| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port 
| `drop_dm_object_name(All_Traffic)` 
| rename dest as C2 ] 
| table _time user dest parent_process_name process_name process_path process process_id dest_port C2 
| `windows_installutil_remote_network_connection_filter`

Windows InstallUtil URL in Command Line

Description

The following analytic detects the use of Windows InstallUtil.exe with an HTTP or HTTPS URL in the command line. This is identified through Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions containing URLs. This activity is significant as it may indicate an attempt to download and execute malicious code, potentially bypassing application control mechanisms. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, or persistent access within the environment. Analysts should review the parent process, network connections, file modifications, and related processes for further investigation.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_installutil` Processes.process IN ("*http://*","*https://*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_installutil_url_in_command_line_filter`

Windows InstallUtil Uninstall Option with Network

Description

The following analytic identifies the use of Windows InstallUtil.exe making a remote network connection using the /u (uninstall) switch. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process and network activity data. This behavior is significant as it may indicate an attempt to download and execute code while bypassing application control mechanisms. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.

Detection logic


| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_installutil` Processes.process IN ("*/u*", "*uninstall*") by _time span=1h  Processes.user Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| join  process_id [
| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.process_id All_Traffic.dest All_Traffic.dest_port 
| `drop_dm_object_name(All_Traffic)` 
| rename dest as C2 ] 
| table _time user dest parent_process_name process_name process_path process process_id dest_port C2 
| `windows_installutil_uninstall_option_with_network_filter`