InstallUtil Execution¶
InstallUtil may be abused to bypass process whitelisting or proxy the execution of code through a trusted Windows utility.
| id: | b937f762-466f-4242-a461-d68e6e4bfc5a |
|---|---|
| categories: | hunt |
| confidence: | low |
| os: | windows |
| created: | 7/26/2019 |
| updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
| tactics: | Execution, Defense Evasion |
|---|---|
| techniques: | T1118 InstallUtil |
Query¶
process where subtype.create and
process_name == "installutil.exe" and
command_line == "* *"
| unique parent_process_name, command_line