Find sigma rule
Attack: Signed Binary Proxy Execution: InstallUtil
Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v
C:\Windows\Microsoft.NET\Framework64\v
InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]
. (Citation: LOLBAS Installutil)
MITRE
Tactic
- defense-evasion
technique
- T1218.004
Test : InstallUtil HelpText method call
OS
- windows
Description:
Executes the Uninstall Method. Upon execution, help information will be displayed for InstallUtil.
Executor
powershell
Sigma Rule
-
posh_ps_win_api_susp_access.yml (id: 03d83090-8cba-44a0-b02f-0b756a050306)
-
file_event_win_csharp_compile_artefact.yml (id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0)
-
proc_creation_win_csc_susp_dynamic_compilation.yml (id: dcaa3f04-70c3-427a-80b4-b870d73c94c4)