Find sigma rule

Attack: Signed Binary Proxy Execution: InstallUtil

Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe</code> and C:\Windows\Microsoft.NET\Framework64\v\InstallUtil.exe</code>.

InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. (Citation: LOLBAS Installutil)

MITRE

Tactic

defense-evasion

technique

T1218.004

Test : InstallUtil HelpText method call

OS

windows

Description:

Executes the Uninstall Method. Upon execution, help information will be displayed for InstallUtil.

Executor

powershell

Sigma Rule

posh_ps_win_api_susp_access.yml (id: 03d83090-8cba-44a0-b02f-0b756a050306)
file_event_win_csharp_compile_artefact.yml (id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0)
proc_creation_win_csc_susp_dynamic_compilation.yml (id: dcaa3f04-70c3-427a-80b4-b870d73c94c4)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test