T1218.004 InstallUtil Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "installutil.exe"
| extend SuspiciousPath = ProcessCommandLine has_any ("Temp", "AppData", "Downloads", "Public", "ProgramData", "\\Users\\")
| extend HasLogFile = ProcessCommandLine has_any ("/logfile", "/log")
| extend Uninstall = ProcessCommandLine has_any ("/u", "/uninstall")
| extend SuspiciousParent = InitiatingProcessFileName has_any ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "winword.exe", "excel.exe")
| extend NonDotNetPath = not(ProcessCommandLine has_any ("Program Files", "Program Files (x86)", "Windows\\"))
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName,
         InitiatingProcessCommandLine, SuspiciousPath, SuspiciousParent, Uninstall, HasLogFile, NonDotNetPath
| sort by Timestamp desc
union (
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where InitiatingProcessFileName =~ "installutil.exe"
  | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
           InitiatingProcessFileName, InitiatingProcessCommandLine
  | sort by Timestamp desc
)

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate .NET software installers that use InstallUtil.exe to register Windows services or COM components during installation
Software development teams running InstallUtil to install or uninstall custom .NET components during testing
IT deployment tools (SCCM, PDQ Deploy) using InstallUtil to deploy .NET-based applications
Windows Setup and update processes that invoke InstallUtil for framework component registration

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\installutil.exe" OR ParentImage="*\\installutil.exe")
| eval SuspiciousPath=if(match(CommandLine, "(Temp|AppData|Downloads|Public|ProgramData|\\\\Users\\\\)"), 1, 0)
| eval SuspiciousParent=if(match(ParentImage, "(cmd|powershell|wscript|cscript|mshta|winword|excel)\.exe"), 1, 0)
| eval Uninstall=if(match(CommandLine, "(/u|/uninstall)"), 1, 0)
| eval SuspiciousChild=if(ParentImage="*\\installutil.exe" AND match(Image, "(cmd|powershell|wscript|cscript|rundll32|regsvr32|net)\.exe"), 1, 0)
| eval RiskScore=SuspiciousPath + SuspiciousParent + Uninstall + SuspiciousChild
| where RiskScore > 0 OR ParentImage="*\\installutil.exe"
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, SuspiciousPath, SuspiciousParent, Uninstall, SuspiciousChild, RiskScore
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate .NET software installers that use InstallUtil.exe to register Windows services or COM components during installation
Software development teams running InstallUtil to install or uninstall custom .NET components during testing
IT deployment tools (SCCM, PDQ Deploy) using InstallUtil to deploy .NET-based applications
Windows Setup and update processes that invoke InstallUtil for framework component registration

Elastic Security (EQL)

eql

process where event.type == "start" and
(
  (
    process.name : "installutil.exe" and
    (
      process.command_line : ("*\\Temp\\*", "*\\AppData\\*", "*\\Downloads\\*", "*\\Public\\*", "*\\ProgramData\\*", "*\\Users\\*") or
      process.parent.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "winword.exe", "excel.exe") or
      process.command_line : ("*/u *", "*/uninstall*", "*/logfile*")
    )
  ) or
  (
    process.parent.name : "installutil.exe" and
    process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe", "net.exe")
  )
)

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon module Elastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Enterprise software deployment platforms such as SCCM or PDQ Deploy that invoke InstallUtil via a cmd.exe or PowerShell wrapper as part of managed .NET application installation workflows
Visual Studio or MSBuild post-build event steps on developer workstations that register .NET installer components from build output directories under the user profile
Security or monitoring agents that stage components in ProgramData and use InstallUtil for COM or Windows service registration during initial product setup

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process_name,
  CASE WHEN REGEXP_LIKE(LOWER("Command"), '(temp|appdata|downloads|public|programdata|\\\\users\\\\)') THEN 1 ELSE 0 END AS suspicious_path,
  CASE WHEN REGEXP_LIKE(LOWER("Parent Process Name"), '(cmd|powershell|wscript|cscript|mshta|winword|excel)\.exe') THEN 1 ELSE 0 END AS suspicious_parent,
  CASE WHEN REGEXP_LIKE(LOWER("Command"), '(/u |/uninstall|/logfile)') THEN 1 ELSE 0 END AS suspicious_flag,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS category_name
FROM events
WHERE
  (
    LOWER("Process Name") LIKE '%installutil.exe'
    OR LOWER("Parent Process Name") LIKE '%installutil.exe'
  )
  AND
  (
    REGEXP_LIKE(LOWER("Command"), '(temp|appdata|downloads|public|programdata|\\\\users\\\\)') = TRUE
    OR REGEXP_LIKE(LOWER("Parent Process Name"), '(cmd|powershell|wscript|cscript|mshta|winword|excel)\.exe') = TRUE
    OR REGEXP_LIKE(LOWER("Command"), '(/u |/uninstall|/logfile)') = TRUE
    OR LOWER("Parent Process Name") LIKE '%installutil.exe'
  )
LAST 24 HOURS

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Sysmon DSM Microsoft Windows Security Event Log DSM

Required Tables

events

False Positives

Automated deployment jobs run by SCCM, Ansible, or Intune that call InstallUtil from a PowerShell or cmd.exe parent process as part of a legitimate .NET package installation workflow
CI/CD build agents on Windows where MSBuild or Cake Build scripts stage assemblies in a TEMP or user AppData path and then invoke InstallUtil for component registration
IT helpdesk-driven repair operations that run InstallUtil with /u or /uninstall to remove and re-register corrupt .NET services, which will score positively on the suspicious_flag field

Sumo Logic CSE

sql

_sourceCategory=*windows* "installutil.exe"
| parse regex "(?i)(?:Image|ProcessName)\s*[:=]\s*[\"']?(?:[^\"'\s,]*)\\\\(?<process_name>[^\\\\\"'\r\n,]+\.exe)" nodrop
| parse regex "(?i)CommandLine\s*[:=]\s*[\"']?(?<command_line>[^\"'\r\n]+)" nodrop
| parse regex "(?i)ParentImage\s*[:=]\s*[\"']?(?:[^\"'\s,]*)\\\\(?<parent_process>[^\\\\\"'\r\n,]+\.exe)" nodrop
| where process_name matches /(?i)installutil\.exe/ OR parent_process matches /(?i)installutil\.exe/
| eval suspicious_path = if(command_line matches /(?i)(Temp|AppData|Downloads|Public|ProgramData|\\Users\\)/, 1, 0)
| eval suspicious_parent = if(parent_process matches /(?i)(cmd|powershell|wscript|cscript|mshta|winword|excel)\.exe$/, 1, 0)
| eval uninstall_flag = if(command_line matches /(?i)(\/u\s|\/uninstall|\/logfile)/, 1, 0)
| eval suspicious_child = if(parent_process matches /(?i)installutil\.exe$/ AND process_name matches /(?i)(cmd|powershell|wscript|cscript|rundll32|regsvr32|net)\.exe$/, 1, 0)
| eval risk_score = suspicious_path + suspicious_parent + uninstall_flag + suspicious_child
| where risk_score > 0 OR parent_process matches /(?i)installutil\.exe/
| fields _messageTime, _sourceHost, user, process_name, command_line, parent_process, suspicious_path, suspicious_parent, uninstall_flag, suspicious_child, risk_score
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Windows Sysmon via Sumo Logic Installed Collector Windows Event Log source (Microsoft-Windows-Sysmon/Operational)

Required Tables

_sourceCategory=*windows* with Sysmon EventCode 1 events

False Positives

Managed endpoint software deployment via SCCM or Tanium that stages .NET assemblies in ProgramData and invokes InstallUtil through a PowerShell parent, generating both suspicious_path and suspicious_parent hits
Development workstations running Visual Studio build automation where InstallUtil is called from MSBuild with assemblies output to the user's local AppData directory under a project build folder
Security product installation scripts (AV, EDR, DLP) that use InstallUtil with /logfile flags to capture installation output, which will trigger the uninstall_flag field incorrectly

Google Chronicle / SecOps

yaral

rule installutil_proxy_execution_t1218_004 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1218.004 - InstallUtil used as a LOLBIN for proxy execution of malicious .NET assemblies"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1218.004"
    severity = "HIGH"
    confidence = "HIGH"
    created = "2026-04-13"
    reference = "https://attack.mitre.org/techniques/T1218/004/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i).*\\installutil\.exe$`) or
      re.regex($e.principal.process.file.full_path, `(?i).*\\installutil\.exe$`)
    )
    (
      re.regex($e.target.process.command_line, `(?i)(\\Temp\\|\\AppData\\|\\Downloads\\|\\Public\\|\\ProgramData\\|\\Users\\)`) or
      re.regex($e.principal.process.file.full_path, `(?i)(cmd|powershell|wscript|cscript|mshta|winword|excel)\.exe$`) or
      re.regex($e.target.process.command_line, `(?i)(/u\s|/uninstall|/logfile)`) or
      (
        re.regex($e.principal.process.file.full_path, `(?i).*\\installutil\.exe$`) and
        re.regex($e.target.process.file.full_path, `(?i)(cmd|powershell|wscript|cscript|rundll32|regsvr32|net)\.exe$`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Chronicle Unified Data Model (UDM) Windows Sysmon forwarded via Chronicle forwarder CrowdStrike or Carbon Black via Chronicle ingestion

Required Tables

UDM PROCESS_LAUNCH events

False Positives

Endpoint management platforms (Intune, SCCM, Jamf for Windows) that invoke InstallUtil via a cmd.exe or PowerShell parent as part of managed .NET application provisioning, matching both the suspicious_parent and path conditions
Developer workstations where iterative .NET component development results in InstallUtil being called from user AppData or a Downloads staging directory during testing cycles
Legitimate administrative uninstallation workflows using /u or /uninstall flags to deregister .NET services or Windows Installer components during software lifecycle management

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName=/(?i)\\installutil\.exe$/ OR ParentBaseFileName=/(?i)^installutil\.exe$/
| SuspiciousPath := if(CommandLine=/(?i)(\\Temp\\|\\AppData\\|\\Downloads\\|\\Public\\|\\ProgramData\\|\\Users\\)/, 1, 0)
| SuspiciousParent := if(ParentBaseFileName=/(?i)^(cmd|powershell|wscript|cscript|mshta|winword|excel)\.exe$/, 1, 0)
| UninstallFlag := if(CommandLine=/(?i)(\/u\s|\/uninstall|\/logfile)/, 1, 0)
| SuspiciousChild := if(ParentBaseFileName=/(?i)^installutil\.exe$/ AND ImageFileName=/(?i)(cmd|powershell|wscript|cscript|rundll32|regsvr32|net)\.exe$/, 1, 0)
| RiskScore := SuspiciousPath + SuspiciousParent + UninstallFlag + SuspiciousChild
| RiskScore > 0 OR ParentBaseFileName=/(?i)^installutil\.exe$/
| select([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, SuspiciousPath, SuspiciousParent, UninstallFlag, SuspiciousChild, RiskScore])
| sort(field=@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike LogScale (Humio) Falcon ProcessRollup2 event stream

Required Tables

ProcessRollup2

False Positives

Falcon-protected endpoints running SCCM or PDQ Deploy software distribution tasks where the deployment wrapper is cmd.exe or PowerShell, triggering SuspiciousParent on legitimate .NET component installations
Windows CI/CD build agents (Azure DevOps, Jenkins) where MSBuild tasks stage .NET assemblies under a user AppData or TEMP build cache directory before invoking InstallUtil for local registration, scoring on SuspiciousPath
IT operations staff using InstallUtil /u during software removal procedures on managed endpoints, which scores on UninstallFlag regardless of payload legitimacy

InstallUtil

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections