You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Rules: First Seen InstallUtil Allow List Bypass From User
Description
This rule looks for a suspicious InstallUtil outgoing network connection from the InstallUtil process, indicating potentially malicious use of the InstallUtil binary.
Additional Details
Detail
Value
Type
First Seen
Category
Defense Evasion
Apply Risk to Entities
device_hostname, user_username
Signal Name
First Seen InstallUtil Allow List Bypass From User
Summary Expression
First seen InstallUtil network connection detected on host: {{device_hostname}} by user: {{user_username}}