HUNTS- InstallUtil (T1118)
HUNTS- InstallUtil (T1118)
Version 1.0
ATT&CK Technique: InstallUtil (T1118)
What this playbook hunts for:
-
Processes spawned by InstallUtil and invocation of InstallUtil via the command line. InstallUtil allows for the installation and execution of code located in .NET binaries. Attackers can utilize InstallUtil to execute malicious code. InstallUtil is an example of a Living of the Land (LOL) binary, which are native Windows executables that are rarely blocked by Applocker or anti-virus software.
How the playbook works:
-
Generates SIEM query for Sysmon Event ID 1 logs where InstallUtil is passed as a command line argument.
-
Generates SIEM query for Sysmon Event ID 1 logs where InstallUtil.exe is a parent process.
What results are expected:
-
Name, process ID, and path of the InstallUtil.exe process
-
Command line arguments for InstallUtil.exe and various command shells where InstallUtil is passed as an argument
-
InstallUtil.exe execution time
-
MD5 hash of the process spawned by InstallUtil.exe
-
Hostname of the computer where InstallUtil.exe was executed
-
User account that was used to execute the InstallUtil.exe process
Common follow-on actions:
-
Acquire forensic image
-
Sandbox file
-
Get running processes
-
Get network connections
-
Quarantine host
What inputs are necessary:
-
SIEM
-
Logs: Sysmon Event ID 1: Process creation
-
Hunt start time
What subroutine playbooks are needed:
-
Create and Link Alerts from Hunt (Host-based)
What configurations are needed:
-
Sysmon logging enabled
False Positive Potential: Low
-
Execution of InstallUtil.exe is uncommon and the binary itself is not native to most Windows systems. InstallUtil.exe is most commonly executed via the Microsoft Visual Studio command prompt.