DET0138 Detection of Malicious Code Execution via InstallUtil.exe

Item	Value
ID	DET0138
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1218.004 (InstallUtil)

Analytics

Windows

AN0388

Execution of InstallUtil.exe from .NET framework directories with arguments specifying non-standard or attacker-supplied assemblies, especially when followed by suspicious child process creation or script execution. Detection also includes correlation of newly created binaries prior to InstallUtil invocation and anomalous command-line usage compared to historical baselines.

Log Sources

Data Component	Name	Channel
Command Execution (DC0064)	WinEventLog:PowerShell	EventCode=4103, 4104, 4105, 4106
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
File Creation (DC0039)	WinEventLog:Sysmon	EventCode=11
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7

Mutable Elements

Field	Description
InstallUtilPathRegex	Regex pattern for InstallUtil.exe in .NET directories; tune to exclude known good administrative scripts
AssemblyPathRegex	Patterns for identifying suspicious assemblies (e.g., in temp folders, user profiles)
ChildProcessList	List of suspicious child processes spawned from InstallUtil.exe (e.g., cmd.exe, powershell.exe, rundll32.exe)
TimeWindow	Time correlation window between file creation of assembly and its execution via InstallUtil.exe