Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. It can also be used to bypass process whitelisting through use of attributes within the binary that execute the class decorated with the attribute.
How can I use process monitoring to monitor the execuiton and arguments of InstallUtil.exe within my organization?
For example by using splunk or creating a GPO in Active Directory perhaps?
Reference: https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool