Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe</code>.
InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute <code>[System.ComponentModel.RunInstaller(true)]</code>. (Citation: LOLBAS Installutil)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1218.004 | InstallUtil |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1218.004 | InstallUtil | |
| CM-11 | User-installed Software | mitigates | T1218.004 | InstallUtil | |
| SI-16 | Memory Protection | mitigates | T1218.004 | InstallUtil | |
| RA-05 | Vulnerability Monitoring and Scanning | mitigates | T1218.004 | InstallUtil | |
| CM-08 | System Component Inventory | mitigates | T1218.004 | InstallUtil | |
| SI-10 | Information Input Validation | mitigates | T1218.004 | InstallUtil | |
| SI-03 | Malicious Code Protection | mitigates | T1218.004 | InstallUtil | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1218.004 | InstallUtil | |
| CM-02 | Baseline Configuration | mitigates | T1218.004 | InstallUtil | |
| CM-07 | Least Functionality | mitigates | T1218.004 | InstallUtil | |
| SI-04 | System Monitoring | mitigates | T1218.004 | InstallUtil |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1218.004 | InstallUtil |