Analytics Story: Signed Binary Proxy Execution InstallUtil

Date: 2021-11-12 ID: 9482a314-43dc-11ec-a3c9-acde48001122 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility.

Why it matters

InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe and C:\Windows\Microsoft.NET\Framework64\v\InstallUtil.exe. There are multiple ways to instantiate InstallUtil and they are all outlined within Atomic Red Team - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md. Two specific ways may be used and that includes invoking via installer assembly class constructor through .NET and via InstallUtil.exe. Typically, adversaries will utilize the most commonly found way to invoke via InstallUtil Uninstall method. Note that parallel processes, and parent process, play a role in how InstallUtil is being used. In particular, a developer using InstallUtil will spawn from VisualStudio. Adversaries, will spawn from non-standard processes like Explorer.exe, cmd.exe or PowerShell.exe. It's important to review the command-line to identify the DLL being loaded. Parallel processes may also include csc.exe being used to compile a local .cs file. This file will be the input to the output. Developers usually do not build direct on the command shell, therefore this should raise suspicion.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Windows DotNet Binary in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil TTP
Windows InstallUtil Credential Theft InstallUtil, System Binary Proxy Execution TTP
Windows InstallUtil in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil TTP
Windows InstallUtil Remote Network Connection InstallUtil, System Binary Proxy Execution TTP
Windows InstallUtil Uninstall Option InstallUtil, System Binary Proxy Execution TTP
Windows InstallUtil Uninstall Option with Network InstallUtil, System Binary Proxy Execution TTP
Windows InstallUtil URL in Command Line InstallUtil, System Binary Proxy Execution TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1