LoFP LoFP / typically, this will not trigger because, by its very nature, installutil does not require credentials. filter as needed.

Techniques

Sample rules

Windows InstallUtil Credential Theft

Description

The following analytic detects instances where the Windows InstallUtil.exe binary loads vaultcli.dll and Samlib.dll. This detection leverages Sysmon EventCode 7 to identify these specific DLL loads. This activity is significant because it can indicate an attempt to execute code that bypasses application control and captures credentials using tools like Mimikatz. If confirmed malicious, this behavior could allow an attacker to steal credentials, potentially leading to unauthorized access and further compromise of the system.

Detection logic

`sysmon` EventCode=7 process_name=installutil.exe loaded_file_path IN ("*\\samlib.dll", "*\\vaultcli.dll") 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded dest loaded_file loaded_file_path original_file_name process_exec process_guid process_hash process_id process_name process_path service_dll_signature_exists service_dll_signature_verified signature signature_id user_id vendor_product 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_installutil_credential_theft_filter`