1. Home
  2. Techniques
  3. Enterprise
  4. System Binary Proxy Execution
  5. InstallUtil

System Binary Proxy Execution: InstallUtil

ID Name
T1218.001 Compiled HTML File
T1218.002 Control Panel
T1218.003 CMSTP
T1218.004 InstallUtil
T1218.005 Mshta
T1218.007 Msiexec
T1218.008 Odbcconf
T1218.009 Regsvcs/Regasm
T1218.010 Regsvr32
T1218.011 Rundll32
T1218.012 Verclsid
T1218.013 Mavinject
T1218.014 MMC
T1218.015 Electron Applications

Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. [1] The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe and C:\Windows\Microsoft.NET\Framework64\v\InstallUtil.exe.

InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. [2]

ID: T1218.004
Sub-technique of:  T1218
Tactic: Defense Evasion
Platforms: Windows
Contributors: Casey Smith; Travis Smith, Tripwire
Version: 2.1
Created: 23 January 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0631 Chaes

Chaes has used Installutill to download content.[3]
S1155 Covenant

Covenant can create launchers via an InstallUtil XML file to install new Grunt listeners.[4]
G0045 menuPass

menuPass has used InstallUtil.exe to execute malicious software.[5]
G0129 Mustang Panda

Mustang Panda has used InstallUtil.exe to execute a malicious Beacon stager.[6]
S1018 Saint Bot

Saint Bot had used InstallUtil.exe to download and deploy executables.[7]
S0689 WhisperGate

WhisperGate has used InstallUtil.exe as part of its process to disable Windows Defender.[8]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

InstallUtil may not be necessary within a given environment.
M1038 Execution Prevention

Use application control configured to block execution of InstallUtil.exe if it is not required for a given system or network to prevent potential misuse by adversaries.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0138 Detection of Malicious Code Execution via InstallUtil.exe AN0388

Execution of InstallUtil.exe from .NET framework directories with arguments specifying non-standard or attacker-supplied assemblies, especially when followed by suspicious child process creation or script execution. Detection also includes correlation of newly created binaries prior to InstallUtil invocation and anomalous command-line usage compared to historical baselines.

References

  1. Microsoft. (n.d.). Installutil.exe (Installer Tool). Retrieved July 1, 2016.
  2. LOLBAS. (n.d.). Installutil.exe. Retrieved July 31, 2019.
  3. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  4. cobbr. (2021, April 21). Covenant. Retrieved September 4, 2024.
  1. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  2. Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.
  3. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
  4. Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022.