DET0138: Detection of Malicious Code Execution via InstallUtil.exe
DET0138 is a detection strategy for suspicious code execution involving InstallUtil.exe, a trusted Microsoft .NET utility that adversaries may abuse to run...
Analyst context for executives and security teams
DET0138 is a detection strategy for suspicious code execution involving InstallUtil.exe, a trusted Microsoft .NET utility that adversaries may abuse to run code through a legitimate Windows binary. The business value is in validating whether the SOC can distinguish normal administrative or developer use of InstallUtil from proxy execution behavior that may bypass simple application-control or alerting assumptions.
Executive priority
Prioritize this as a Windows endpoint and SOC-readiness question rather than a standalone control. Leaders should ask whether the organization has visibility into trusted utility abuse, whether detections are mapped to ATT&CK T1218.004, and whether incident responders can quickly separate legitimate .NET installation activity from suspicious execution. This supports resilience, audit evidence for monitoring coverage, and practical prioritization of endpoint telemetry and application-control validation.
Technical view
The supplied ATT&CK object has no official description, detection logic, platforms, or tactics, but it is explicitly related to technique T1218.004, InstallUtil, in the enterprise domain. Detection engineering should therefore validate telemetry around InstallUtil.exe execution on Windows systems, especially executions from Microsoft .NET Framework paths and command-line patterns that indicate installation or uninstallation behavior against .NET binaries. Tune carefully for legitimate administrator, software deployment, build, and developer activity.
Likely telemetry
- Windows process creation events for InstallUtil.exe
- Command-line arguments and parent/child process relationships
- Executable path information, especially Microsoft .NET Framework InstallUtil.exe locations
- File metadata and digital signature context for the invoked utility and target binaries
- Endpoint detection and response process lineage
Detection direction
- Map detections and alert triage to ATT&CK T1218.004 rather than treating InstallUtil activity as inherently malicious.
- Baseline legitimate InstallUtil.exe usage by host role, user role, software deployment process, and developer workflow.
- Prioritize unusual parent processes, unusual users, unexpected working directories, rare target binaries, or process chains inconsistent with software installation activity.
- Check for blind spots where process command lines, parent process data, or endpoint telemetry are not retained.
- Manage false positives from legitimate .NET application installation, system administration, build pipelines, and enterprise software deployment tools.
Mitigation priorities
- Ensure endpoint logging captures process creation, command line, path, parent process, and user context for Windows systems where InstallUtil may exist.
- Review application-control or allowlisting assumptions for trusted Windows utilities that can proxy execution.
- Document approved administrative and software deployment use cases for InstallUtil.exe to improve triage quality.
- Use incident response playbooks that preserve process lineage, target binary details, and related file evidence when InstallUtil activity is suspicious.
- Periodically test detection coverage against the ATT&CK mapping using safe internal validation methods, not assumptions of vendor coverage.
Analyst notes and limits
This take is intentionally conservative because the detection strategy object itself provides no official description or detection text. The strongest usable context is the relationship to T1218.004, InstallUtil, which describes adversary use of a trusted Windows .NET utility to proxy code execution. Local baselining is essential because legitimate administrative and development activity can resemble suspicious behavior.
No official detection logic, platform list, tactic list, or detailed analytic guidance was supplied for DET0138. The Windows platform and stealth context come from the related ATT&CK technique, not from the detection strategy object itself. This summary does not assert active exploitation, attribution, impact, or guaranteed detection coverage.
Detection of Malicious Code Execution via InstallUtil.exe
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1218.004 | InstallUtil Sub-technique | This object detects InstallUtil. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f5470b8dd2b5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0138Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.