AN0388: Analytic 0388

Execution of InstallUtil.exe from .NET framework directories with arguments specifying non-standard or attacker-supplied assemblies, especially when followed by suspicious child process creation or script execution. Detection also includes correlation of newly created binaries prior to InstallUtil invocation and anomalous command-line usage compared to historical baselines.

EnterpriseAN0388AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

This analytic is relevant because InstallUtil.exe is a legitimate Windows .NET utility that can become suspicious when it runs from framework directories against unusual or attacker-supplied assemblies. For leaders, the value is not simply detecting one binary; it is validating whether the organization can distinguish normal administrative or developer use from activity that may indicate unauthorized code execution, script launch, or execution of a newly dropped binary.

Executive priority

Prioritize this as a Windows monitoring and incident-triage coverage question: do SOC and IR teams have the command-line, process lineage, and file-creation evidence needed to explain why InstallUtil.exe ran, what assembly it loaded, and what happened next? This supports operational resilience, audit evidence, and control validation by showing whether legitimate tooling abuse can be investigated quickly without relying on assumptions or vendor defaults.

Technical view

For Windows environments, validate analytics around InstallUtil.exe execution from .NET framework directories where command-line arguments reference non-standard assemblies or paths inconsistent with historical baselines. Correlate the invocation with recently created binaries before execution and with suspicious child process or script execution afterward. Because no ATT&CK tactic or relationship context is supplied, treat this as a detection analytic for suspicious Windows process behavior rather than a complete attack narrative.

Likely telemetry

Windows process creation events including executable path, parent process, child process, and full command line
File creation telemetry for newly created binaries or assemblies prior to InstallUtil.exe execution
Script execution telemetry where child processes invoke scripting engines or interpreters
Endpoint detection logs showing process ancestry and command-line anomaly context
Historical baseline data for expected InstallUtil.exe usage by host, user, path, and arguments

Detection direction

Confirm that InstallUtil.exe executions from .NET framework directories are visible with full command-line capture.
Tune for non-standard or attacker-supplied assembly paths, especially unusual user-writable locations or paths not seen in local baselines.
Correlate InstallUtil.exe execution with binaries created shortly beforehand and suspicious child process or script execution afterward.
Account for legitimate developer, administrator, build, or software deployment activity to reduce false positives.
Identify blind spots where command-line logging, process lineage, or file-creation telemetry is missing, because those gaps materially weaken this analytic.

Mitigation priorities

Ensure Windows endpoint logging captures process creation, command lines, process ancestry, and relevant file creation events.
Establish baselines for legitimate InstallUtil.exe use by host role, user group, and administrative workflow.
Review access controls and software execution governance around locations where assemblies or binaries can be written and executed.
Use SOC runbooks to require validation of the assembly path, parent process, child process behavior, and recent file creation during triage.
Feed confirmed benign patterns and suspicious outliers back into detection tuning and incident response procedures.

Analyst notes and limits

The supplied object is a detection analytic, AN0388, for Windows InstallUtil.exe behavior. Its strongest decision value is in coverage validation: whether defenders can correlate command-line usage, newly created binaries, and downstream child process or script activity. No relationship context, aliases, labels, tactics, or official detection logic were supplied.

This take uses only the supplied ATT&CK fields. The object does not provide a tactic, formal detection logic, related techniques, mitigations, threat actors, campaigns, or evidence of active exploitation. Local environment baselines are required to decide what is abnormal.

Official MITRE ATT&CK definition

Analytic 0388

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: 4588616d377b5d4f...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`4588616d377b…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0388
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use