InstallUtil Execution¶
InstallUtil may be abused to bypass process whitelisting or proxy the execution of code through a trusted Windows utility.
id: | b937f762-466f-4242-a461-d68e6e4bfc5a |
---|---|
categories: | hunt |
confidence: | low |
os: | windows |
created: | 7/26/2019 |
updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
tactics: | Execution, Defense Evasion |
---|---|
techniques: | T1118 InstallUtil |
Query¶
process where subtype.create and
process_name == "installutil.exe" and
command_line == "* *"
| unique parent_process_name, command_line