Skip to content

T1218.004 InstallUtil

Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. 1 The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe and C:\Windows\Microsoft.NET\Framework64\v\InstallUtil.exe.

InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. 2

Item Value
ID T1218.004
Sub-techniques T1218.001, T1218.002, T1218.003, T1218.004, T1218.005, T1218.007, T1218.008, T1218.009, T1218.010, T1218.011, T1218.012, T1218.013, T1218.014
Tactics TA0005
Platforms Windows
Permissions required User
Version 2.0
Created 23 January 2020
Last Modified 11 March 2022

Procedure Examples

ID Name Description
S0631 Chaes Chaes has used Installutill to download content.4
G0045 menuPass menuPass has used InstallUtil.exe to execute malicious software.7
G0129 Mustang Panda Mustang Panda has used InstallUtil.exe to execute a malicious Beacon stager.6
S1018 Saint Bot Saint Bot had used InstallUtil.exe to download and deploy executables.3
S0689 WhisperGate WhisperGate has used InstallUtil.exe as part of its process to disable Windows Defender.5

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program InstallUtil may not be necessary within a given environment.
M1038 Execution Prevention Use application control configured to block execution of InstallUtil.exe if it is not required for a given system or network to prevent potential misuse by adversaries.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process Process Creation

References