InstallUtil Process Making Network Connections
Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/02"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is
13often leveraged by adversaries to execute code and evade detection.
14"""
15from = "now-9m"
16index = [
17 "logs-endpoint.events.process-*",
18 "logs-endpoint.events.network-*",
19 "winlogbeat-*",
20 "logs-windows.sysmon_operational-*",
21]
22language = "eql"
23license = "Elastic License v2"
24name = "InstallUtil Process Making Network Connections"
25risk_score = 47
26rule_id = "a13167f1-eec2-4015-9631-1fee60406dcf"
27severity = "medium"
28tags = [
29 "Domain: Endpoint",
30 "OS: Windows",
31 "Use Case: Threat Detection",
32 "Tactic: Defense Evasion",
33 "Data Source: Elastic Defend",
34 "Data Source: Sysmon",
35]
36type = "eql"
37
38query = '''
39/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */
40
41sequence by process.entity_id
42 [process where host.os.type == "windows" and event.type == "start" and process.name : "installutil.exe"]
43 [network where host.os.type == "windows" and process.name : "installutil.exe" and network.direction : ("outgoing", "egress")]
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1218"
51name = "System Binary Proxy Execution"
52reference = "https://attack.mitre.org/techniques/T1218/"
53[[rule.threat.technique.subtechnique]]
54id = "T1218.004"
55name = "InstallUtil"
56reference = "https://attack.mitre.org/techniques/T1218/004/"
57
58
59
60[rule.threat.tactic]
61id = "TA0005"
62name = "Defense Evasion"
63reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Adding Hidden File Attribute via Attrib
- Alternate Data Stream Creation/Execution at Volume Root Directory
- Attempt to Install Kali Linux via WSL
- Bypass UAC via Event Viewer
- Clearing Windows Console History