Suspicious Execution of InstallUtil Without Log
Uses the .NET InstallUtil.exe application in order to execute image without log
Sigma rule (View on GitHub)
1title: Suspicious Execution of InstallUtil Without Log
2id: d042284c-a296-4988-9be5-f424fadcc28c
3status: test
4description: Uses the .NET InstallUtil.exe application in order to execute image without log
5references:
6 - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
7 - https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool
8author: frack113
9date: 2022-01-23
10modified: 2022-02-04
11tags:
12 - attack.defense-evasion
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\InstallUtil.exe'
19 Image|contains: 'Microsoft.NET\Framework'
20 CommandLine|contains|all:
21 - '/logfile= '
22 - '/LogToConsole=false'
23 condition: selection
24falsepositives:
25 - Unknown
26level: medium
References
-
At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41.
Read More -
Use Installutil.exe, the Installer Tool. This tool lets you install or uninstall server resources by executing the installer components in specified assemblies.
Read More
Related rules
- AD Object WriteDAC Access
- ADS Zone.Identifier Deleted By Uncommon Application
- AMSI Bypass Pattern Assembly GetType
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity