Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe</code>.
InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute <code>[System.ComponentModel.RunInstaller(true)]</code>. (Citation: LOLBAS Installutil)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1218.004 | InstallUtil | |
| CM-11 | User-installed Software | mitigates | T1218.004 | InstallUtil | |
| SI-16 | Memory Protection | mitigates | T1218.004 | InstallUtil | |
| RA-05 | Vulnerability Monitoring and Scanning | mitigates | T1218.004 | InstallUtil | |
| CM-08 | System Component Inventory | mitigates | T1218.004 | InstallUtil | |
| SI-10 | Information Input Validation | mitigates | T1218.004 | InstallUtil | |
| SI-03 | Malicious Code Protection | mitigates | T1218.004 | InstallUtil | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1218.004 | InstallUtil | |
| CM-02 | Baseline Configuration | mitigates | T1218.004 | InstallUtil | |
| CM-07 | Least Functionality | mitigates | T1218.004 | InstallUtil | |
| SI-04 | System Monitoring | mitigates | T1218.004 | InstallUtil |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1218.004 | InstallUtil |