Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. [1] The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v
and C:\Windows\Microsoft.NET\Framework64\v
.
InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]
. [2]
ID | Name | Description |
---|---|---|
S0631 | Chaes | |
S1155 | Covenant |
Covenant can create launchers via an InstallUtil XML file to install new Grunt listeners.[4] |
G0045 | menuPass |
menuPass has used |
G0129 | Mustang Panda |
Mustang Panda has used |
S1018 | Saint Bot |
Saint Bot had used |
S0689 | WhisperGate |
WhisperGate has used |
ID | Mitigation | Description |
---|---|---|
M1042 | Disable or Remove Feature or Program |
InstallUtil may not be necessary within a given environment. |
M1038 | Execution Prevention |
Use application control configured to block execution of InstallUtil.exe if it is not required for a given system or network to prevent potential misuse by adversaries. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor executed commands and arguments used before and after the InstallUtil.exe invocation may also be useful in determining the origin and purpose of the binary being executed. |
DS0009 | Process | Process Creation |
Use process monitoring to monitor the execution and arguments of InstallUtil.exe. Compare recent invocations of InstallUtil.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity |