title: Suspicious Execution of InstallUtil Without Log 
id: d042284c-a296-4988-9be5-f424fadcc28c
status: experimental
description: Uses the .NET InstallUtil.exe application in order to execute image without log
author: frack113
references:
    - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
    - https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool
date: 2022/01/23
modified: 2022/02/04
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: \InstallUtil.exe
        Image|contains: Microsoft.NET\Framework
        CommandLine|contains|all:
            - '/logfile= '
            - '/LogToConsole=false'
    condition: selection
falsepositives:
    - Unknown
level: medium
tags:
    - attack.defense_evasion