Signed Binary Proxy Execution: InstallUtil

Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. [1] InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe and C:\Windows\Microsoft.NET\Framework64\v\InstallUtil.exe.

InstallUtil may also be used to bypass process whitelisting through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. [2]

ID: T1218.004
Sub-technique of:  T1218
Tactic: Defense Evasion
Platforms: Windows
Permissions Required: User
Data Sources: Process command-line parameters, Process monitoring
Defense Bypassed: Digital Certificate Validation, Process whitelisting
Contributors: Casey Smith; Travis Smith, Tripwire
Version: 1.0
Created: 23 January 2020
Last Modified: 29 March 2020

Mitigations

Mitigation Description
Disable or Remove Feature or Program

InstallUtil may not be necessary within a given environment.

Execution Prevention

Use application whitelisting configured to block execution of InstallUtil.exe if it is not required for a given system or network to prevent potential misuse by adversaries.

Detection

Use process monitoring to monitor the execution and arguments of InstallUtil.exe. Compare recent invocations of InstallUtil.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after the InstallUtil.exe invocation may also be useful in determining the origin and purpose of the binary being executed.

References