
Summary
This detection rule identifies the execution of InstallUtil.exe from paths that are not typically associated with its standard operations. It is designed to analyze endpoint activity using data from Endpoint Detection and Response (EDR) tools like Sysmon and Windows Event Logs. InstallUtil.exe is often exploited in malware attacks for executing malicious scripts or programs, thus monitoring its execution from non-standard directories is crucial for identifying potential security threats. The rule specifically looks for process execution logs where InstallUtil.exe is invoked from paths outside of standard directories such as Windows System32, NetworkController, or even the .NET directory. When detected, this behavior may indicate an attempt by malicious actors to gain unauthorized access or persist within a target system, circumventing traditional security controls.
Categories
- Endpoint
- Windows
Data Sources
- Windows Registry
- Process
- Windows Registry
- Image
ATT&CK Techniques
- T1036.003
- T1036
- T1218.004
- T1218
Created: 2024-11-13