InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107)
Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v and C:\Windows\Microsoft.NET\Framework64\v.
InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. (Citation: LOLBAS Installutil)
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) | Attack Pattern | InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107) | Attack Pattern | 1 |