LoFP LoFP / limited false positives should be present as installutil is not typically used to download remote files. filter as needed based on developers requirements.

Techniques

Sample rules

Windows InstallUtil Uninstall Option with Network

Description

The following analytic identifies the use of Windows InstallUtil.exe making a remote network connection using the /u (uninstall) switch. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process and network activity data. This behavior is significant as it may indicate an attempt to download and execute code while bypassing application control mechanisms. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.

Detection logic


| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where `process_installutil` Processes.process IN ("*/u*", "*uninstall*") by _time span=1h Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| join  process_id [
| tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port != 0 by All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.dest  All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport All_Traffic.user All_Traffic.vendor_product All_Traffic.direction All_Traffic.process_id 
| `drop_dm_object_name(All_Traffic)` 
| rename dest as C2 ] 
| table _time user dest parent_process_name process_name process_path process process_id dest_port C2 
| `windows_installutil_uninstall_option_with_network_filter`

Windows InstallUtil Remote Network Connection

Description

The following analytic detects the Windows InstallUtil.exe binary making a remote network connection. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and network telemetry. This activity is significant because InstallUtil.exe can be exploited to download and execute malicious code, bypassing application control mechanisms. If confirmed malicious, an attacker could achieve code execution, potentially leading to further system compromise, data exfiltration, or lateral movement within the network. Analysts should review the parent process, network connections, and any associated file modifications to determine the legitimacy of this activity.

Detection logic


| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
  where `process_installutil` by _time span=1h Processes.action Processes.dest Processes.original_file_name
  Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
  Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
  Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
  Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
  Processes.user Processes.user_id Processes.vendor_product 

| `drop_dm_object_name(Processes)` 

| `security_content_ctime(firstTime)` 

| `security_content_ctime(lastTime)` 

| join process_id dest
    [
| tstats `security_content_summariesonly`
        count FROM datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port !=
        0 by All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out
        All_Traffic.dest  All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol
        All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip All_Traffic.src_port
        All_Traffic.transport All_Traffic.user All_Traffic.vendor_product All_Traffic.direction All_Traffic.process_id
    
| `drop_dm_object_name(All_Traffic)` 
    
| rename dest as command_and_control
    
| rename src as dest] 

| table _time user src dest parent_process_name process_name process_path process process_id dest_port command_and_control

| stats count min(_time) as firstTime max(_time) as lastTime values(process) as process values(command_and_control) as command_and_control by user dest process_name process_id dest_port parent_process_name 

| `security_content_ctime(firstTime)` 

| `security_content_ctime(lastTime)`
| `windows_installutil_remote_network_connection_filter`

Windows InstallUtil URL in Command Line

Description

The following analytic detects the use of Windows InstallUtil.exe with an HTTP or HTTPS URL in the command line. This is identified through Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions containing URLs. This activity is significant as it may indicate an attempt to download and execute malicious code, potentially bypassing application control mechanisms. If confirmed malicious, this could lead to unauthorized code execution, privilege escalation, or persistent access within the environment. Analysts should review the parent process, network connections, file modifications, and related processes for further investigation.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_installutil` Processes.process IN ("*http://*","*https://*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_installutil_url_in_command_line_filter`