The detection rule identifies instances where InstallUtil.exe makes outbound network connections, a behavior frequently exploited by attackers to evade detection while executing malicious code. This rule functions by observing the initial network connection attempt made by InstallUtil.exe in a Windows environment, leveraging Elastic's EQL (Event Query Language) to restrict alerts to the first outbound connection of interest. It correlates the start of the InstallUtil.exe process with any egress network events attributed to the same process entity. While InstallUtil.exe serves legitimate purposes, adversaries leverage its capabilities for malicious activities. The detection aims to highlight potentially harmful use of this utility, thus enabling security teams to investigate promptly. Recommended investigation steps include reviewing alert details, examining network connections for trustworthiness, analyzing parent processes, and assessing the timing of related activities. Due diligence should also be applied to ensure the detection does not create excessive false positives, which can occur during legitimate software installations or by automated deployment tools. The rule eventually calls for immediate incident response actions if a malicious connection is confirmed to prevent further threats and maintain system integrity.