Suspicious Execution of InstallUtil Without Log
Uses the .NET InstallUtil.exe application in order to execute image without log
Sigma rule (View on GitHub)
1title: Suspicious Execution of InstallUtil Without Log
2id: d042284c-a296-4988-9be5-f424fadcc28c
3status: test
4description: Uses the .NET InstallUtil.exe application in order to execute image without log
5references:
6 - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
7 - https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool
8author: frack113
9date: 2022/01/23
10modified: 2022/02/04
11tags:
12 - attack.defense_evasion
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\InstallUtil.exe'
19 Image|contains: 'Microsoft.NET\Framework'
20 CommandLine|contains|all:
21 - '/logfile= '
22 - '/LogToConsole=false'
23 condition: selection
24falsepositives:
25 - Unknown
26level: medium
References
-
At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41.
Read More -
Use Installutil.exe, the Installer Tool. This tool lets you install or uninstall server resources by executing the installer components in specified assemblies.
Read More
Related rules
- AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
- DLL Execution Via Register-cimprovider.exe
- Detection of PowerShell Execution via Sqlps.exe
- Devtoolslauncher.exe Executes Specified Binary
- Disabled IE Security Features