Analytics Story: Signed Binary Proxy Execution InstallUtil

Date: 2021-11-12 ID: 9482a314-43dc-11ec-a3c9-acde48001122 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility.

InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe and C:\Windows\Microsoft.NET\Framework64\v\InstallUtil.exe. There are multiple ways to instantiate InstallUtil and they are all outlined within Atomic Red Team - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md. Two specific ways may be used and that includes invoking via installer assembly class constructor through .NET and via InstallUtil.exe. Typically, adversaries will utilize the most commonly found way to invoke via InstallUtil Uninstall method. Note that parallel processes, and parent process, play a role in how InstallUtil is being used. In particular, a developer using InstallUtil will spawn from VisualStudio. Adversaries, will spawn from non-standard processes like Explorer.exe, cmd.exe or PowerShell.exe. It's important to review the command-line to identify the DLL being loaded. Parallel processes may also include csc.exe being used to compile a local .cs file. This file will be the input to the output. Developers usually do not build direct on the command shell, therefore this should raise suspicion.

Name ▲▼ Technique ▲▼ Type ▲▼
Windows DotNet Binary in Non Standard Path Rename System Utilities, InstallUtil TTP
Windows InstallUtil Credential Theft InstallUtil TTP
Windows InstallUtil in Non Standard Path Rename System Utilities, InstallUtil TTP
Windows InstallUtil Remote Network Connection InstallUtil TTP
Windows InstallUtil Uninstall Option InstallUtil TTP
Windows InstallUtil Uninstall Option with Network InstallUtil TTP
Windows InstallUtil URL in Command Line InstallUtil TTP
Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

Source: GitHub | Version: 1