How can I monitor a process being or arguments of a specific utility in my network?

Question

Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. It can also be used to bypass process whitelisting through use of attributes within the binary that execute the class decorated with the attribute.

How can I use process monitoring to monitor the execuiton and arguments of InstallUtil.exe within my organization?

For example by using splunk or creating a GPO in Active Directory perhaps?

Reference: https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool

RichG · Accepted Answer · 2019-01-08 13:37:44Z

0

IIRC, normal Windows events logs don't have enough detail for your use case. You should run sysmon on your Windows systems and log the output in Splunk. That should give you the information you need to detect undesirable executions.

answered Jan 8, 2019 at 13:37

RichG

1436 bronze badges

Add a comment |

Stack Exchange Network

How can I monitor a process being or arguments of a specific utility in my network?

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
windows
active-directory
.net-framework
splunk
.

Hot Network Questions

How can I monitor a process being or arguments of a specific utility in my network?

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged windowsactive-directory.net-frameworksplunk.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
windows
active-directory
.net-framework
splunk
.