Execution of InstallUtil.exe from .NET framework directories with arguments specifying non-standard or attacker-supplied assemblies, especially when followed by suspicious child process creation or script execution. Detection also includes correlation of newly created binaries prior to InstallUtil invocation and anomalous command-line usage compared to historical baselines.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4104 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Field | Description |
|---|---|
| InstallUtilPathRegex | Regex pattern for InstallUtil.exe in .NET directories; tune to exclude known good administrative scripts |
| AssemblyPathRegex | Patterns for identifying suspicious assemblies (e.g., in temp folders, user profiles) |
| ChildProcessList | List of suspicious child processes spawned from InstallUtil.exe (e.g., cmd.exe, powershell.exe, rundll32.exe) |
| TimeWindow | Time correlation window between file creation of assembly and its execution via InstallUtil.exe |