Try in Splunk Security Cloud

Description

Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Network_Traffic
  • Last Updated: 2021-11-12
  • Author: Michael Haag, Splunk
  • ID: 9482a314-43dc-11ec-a3c9-acde48001122

Narrative

InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe and C:\Windows\Microsoft.NET\Framework64\v\InstallUtil.exe.
There are multiple ways to instantiate InstallUtil and they are all outlined within Atomic Red Team - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md. Two specific ways may be used and that includes invoking via installer assembly class constructor through .NET and via InstallUtil.exe.
Typically, adversaries will utilize the most commonly found way to invoke via InstallUtil Uninstall method.
Note that parallel processes, and parent process, play a role in how InstallUtil is being used. In particular, a developer using InstallUtil will spawn from VisualStudio. Adversaries, will spawn from non-standard processes like Explorer.exe, cmd.exe or PowerShell.exe. It’s important to review the command-line to identify the DLL being loaded.
Parallel processes may also include csc.exe being used to compile a local .cs file. This file will be the input to the output. Developers usually do not build direct on the command shell, therefore this should raise suspicion.

Detections

Name Technique Type
Windows DotNet Binary in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil TTP
Windows DotNet Binary in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil Anomaly
Windows InstallUtil Credential Theft InstallUtil, System Binary Proxy Execution TTP
Windows InstallUtil Remote Network Connection InstallUtil, System Binary Proxy Execution TTP
Windows InstallUtil URL in Command Line InstallUtil, System Binary Proxy Execution TTP
Windows InstallUtil Uninstall Option InstallUtil, System Binary Proxy Execution TTP
Windows InstallUtil Uninstall Option with Network InstallUtil, System Binary Proxy Execution TTP
Windows InstallUtil in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil TTP

Reference

source | version: 1