Techniques
Sample rules
Windows InstallUtil Credential Theft
- source: splunk
- technicques:
- T1218.004
- T1218
Description
This analytic identifies instances where the Windows InstallUtil.exe binary loads vaultcli.dll and Samlib.dll. This technique can be employed to execute code that bypasses application control and captures credentials using tools like Mimikatz.
When InstallUtil.exe is used maliciously, it typically specifies the path to an executable on the filesystem. It is important to observe the parent process in such cases. Suspicious activity often involves being spawned from non-standard processes such as Cmd.exe, PowerShell.exe, or Explorer.exe.
Conversely, when used by developers, it is usually accompanied by multiple command-line switches/arguments and originates from Visual Studio.
During triage, review any resulting network connections, file modifications, and concurrent processes. Capture any artifacts for further review.'
Detection logic
`sysmon` EventCode=7 process_name=installutil.exe loaded_file_path IN ("*\\samlib.dll", "*\\vaultcli.dll")
| stats count min(_time) as firstTime max(_time) as lastTime by user_id, dest, process_name, loaded_file, loaded_file_path, original_file_name, process_guid
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_installutil_credential_theft_filter`