← Back to SOC feed Coverage →

Suspicious Execution of InstallUtil Without Log

sigma MEDIUM SigmaHQ
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-10T11:00:00Z · Confidence: medium

Hunt Hypothesis

Uses the .NET InstallUtil.exe application in order to execute image without log

Detection Rule

Sigma (Original)

title: Suspicious Execution of InstallUtil Without Log
id: d042284c-a296-4988-9be5-f424fadcc28c
status: test
description: Uses the .NET InstallUtil.exe application in order to execute image without log
references:
    - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
    - https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool
author: frack113
date: 2022-01-23
modified: 2022-02-04
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\InstallUtil.exe'
        Image|contains: 'Microsoft.NET\Framework'
        CommandLine|contains|all:
            - '/logfile= '
            - '/LogToConsole=false'
    condition: selection
falsepositives:
    - Unknown
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessName endswith "\\InstallUtil.exe" and TargetProcessName contains "Microsoft.NET\\Framework" and (TargetProcessCommandLine contains "/logfile= " and TargetProcessCommandLine contains "/LogToConsole=false")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_instalutil_no_log_execution.yml