System Binary Proxy Execution: InstallUtil
Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v
and C:\Windows\Microsoft.NET\Framework64\v
.
InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]
. (Citation: LOLBAS Installutil)
Procedure Examples |
|
Name | Description |
---|---|
Chaes |
Chaes has used Installutill to download content.(Citation: Cybereason Chaes Nov 2020) |
Mustang Panda |
Mustang Panda has used |
WhisperGate |
WhisperGate has used `InstallUtil.exe` as part of its process to disable Windows Defender.(Citation: Unit 42 WhisperGate January 2022) |
menuPass |
menuPass has used |
Saint Bot |
Saint Bot had used `InstallUtil.exe` to download and deploy executables.(Citation: Malwarebytes Saint Bot April 2021) |
Mitigations |
|
Mitigation | Description |
---|---|
Execution Prevention |
Block execution of code on a system through application control, and/or script blocking. |
Disable or Remove Feature or Program |
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries. |
Detection
Use process monitoring to monitor the execution and arguments of InstallUtil.exe. Compare recent invocations of InstallUtil.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after the InstallUtil.exe invocation may also be useful in determining the origin and purpose of the binary being executed.
References
- LOLBAS. (n.d.). Installutil.exe. Retrieved July 31, 2019.
- Microsoft. (n.d.). Installutil.exe (Installer Tool). Retrieved July 1, 2016.
- Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
- Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022.
- Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.