T1218.004 Sumo Logic CSE · Sumo

Detect InstallUtil in Sumo Logic CSE

Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. The InstallUtil binary is digitally signed by Microsoft and located in the .NET directories. InstallUtil may also bypass application control by using the [System.ComponentModel.RunInstaller(true)] attribute decorator pattern. Known users of this technique include Mustang Panda (Beacon stager), WhisperGate (Windows Defender disable), Chaes malware, Saint Bot, and the Covenant C2 framework.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.004 InstallUtil
Canonical reference
https://attack.mitre.org/techniques/T1218/004/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*windows* "installutil.exe"
| parse regex "(?i)(?:Image|ProcessName)\s*[:=]\s*[\"']?(?:[^\"'\s,]*)\\\\(?<process_name>[^\\\\\"'\r\n,]+\.exe)" nodrop
| parse regex "(?i)CommandLine\s*[:=]\s*[\"']?(?<command_line>[^\"'\r\n]+)" nodrop
| parse regex "(?i)ParentImage\s*[:=]\s*[\"']?(?:[^\"'\s,]*)\\\\(?<parent_process>[^\\\\\"'\r\n,]+\.exe)" nodrop
| where process_name matches /(?i)installutil\.exe/ OR parent_process matches /(?i)installutil\.exe/
| eval suspicious_path = if(command_line matches /(?i)(Temp|AppData|Downloads|Public|ProgramData|\\Users\\)/, 1, 0)
| eval suspicious_parent = if(parent_process matches /(?i)(cmd|powershell|wscript|cscript|mshta|winword|excel)\.exe$/, 1, 0)
| eval uninstall_flag = if(command_line matches /(?i)(\/u\s|\/uninstall|\/logfile)/, 1, 0)
| eval suspicious_child = if(parent_process matches /(?i)installutil\.exe$/ AND process_name matches /(?i)(cmd|powershell|wscript|cscript|rundll32|regsvr32|net)\.exe$/, 1, 0)
| eval risk_score = suspicious_path + suspicious_parent + uninstall_flag + suspicious_child
| where risk_score > 0 OR parent_process matches /(?i)installutil\.exe/
| fields _messageTime, _sourceHost, user, process_name, command_line, parent_process, suspicious_path, suspicious_parent, uninstall_flag, suspicious_child, risk_score
| sort by _messageTime desc
high severity high confidence

Detects T1218.004 InstallUtil proxy execution in Sumo Logic by parsing Sysmon EventCode 1 process creation logs. Computes a risk score across four indicators — suspicious path, interpreter parent, uninstall or log suppression flags, and suspicious child process — and surfaces all events scoring above zero or where InstallUtil is the parent.

Data Sources

Sumo Logic Cloud SIEMWindows Sysmon via Sumo Logic Installed CollectorWindows Event Log source (Microsoft-Windows-Sysmon/Operational)

Required Tables

_sourceCategory=*windows* with Sysmon EventCode 1 events

False Positives & Tuning

  • Managed endpoint software deployment via SCCM or Tanium that stages .NET assemblies in ProgramData and invokes InstallUtil through a PowerShell parent, generating both suspicious_path and suspicious_parent hits
  • Development workstations running Visual Studio build automation where InstallUtil is called from MSBuild with assemblies output to the user's local AppData directory under a project build folder
  • Security product installation scripts (AV, EDR, DLP) that use InstallUtil with /logfile flags to capture installation output, which will trigger the uninstall_flag field incorrectly
Download portable Sigma rule (.yml)

Other platforms for T1218.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1InstallUtil Execution from Temp Directory

    Expected signal: Sysmon Event ID 1: installutil.exe with Temp path in command line, /logfile and /logtoconsole flags. Security Event ID 4688 for the process. Sysmon Event ID 7 (Image Load) for the DLL being loaded.

  2. Test 2InstallUtil with Uninstall Flag

    Expected signal: Sysmon Event ID 1: installutil.exe with /u flag and temp path. Security Event ID 4688. The process will fail if the file doesn't exist or isn't a valid installer assembly, but the process creation event still fires.

  3. Test 3InstallUtil Invoked from PowerShell

    Expected signal: Sysmon Event ID 1: powershell.exe followed by installutil.exe with ParentImage=powershell.exe. Both SuspiciousParent and SuspiciousPath indicators fire. Security Event ID 4688 for both processes.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1218.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.002Control PanelT1218.003CMSTPT1218.005MshtaT1218.007MsiexecT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.010Regsvr32T1218.011Rundll32T1218.012VerclsidT1218.013MavinjectT1218.014MMCT1218.015Electron Applications

Related Techniques

T1218System Binary Proxy ExecutionT1543.003Windows ServiceT1059.001PowerShellT1027Obfuscated Files or InformationT1562.001Disable or Modify ToolsT1105Ingress Tool TransferT1218.011Rundll32

Same Tactic: Defense Evasion

Popular Detections