Find sigma rule
Attack: Signed Binary Proxy Execution: InstallUtil
Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v
C:\Windows\Microsoft.NET\Framework64\v
InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]
. (Citation: LOLBAS Installutil)
MITRE
Tactic
- defense-evasion
technique
- T1218.004
Test : InstallUtil evasive invocation
OS
- windows
Description:
Executes an InstallUtil assembly by renaming InstallUtil.exe and using a nonstandard extension for the assembly. Upon execution, “Running a transacted installation.” will be displayed, along with other information about the opperation. “The transacted install has completed.” will be displayed upon completion.
Executor
powershell
Sigma Rule
-
posh_ps_win_api_susp_access.yml (id: 03d83090-8cba-44a0-b02f-0b756a050306)
-
file_event_win_csharp_compile_artefact.yml (id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0)
-
proc_creation_win_csc_susp_dynamic_compilation.yml (id: dcaa3f04-70c3-427a-80b4-b870d73c94c4)
-
proc_creation_win_rundll32_run_locations.yml (id: 15b75071-74cc-47e0-b4c6-b43744a62a2b)
-
proc_creation_win_susp_execution_path.yml (id: 3dfd06d2-eaf4-4532-9555-68aca59f57c4)