EXPLORE
Sign In
← Back to Explore
T1218.004

InstallUtil

Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>...

Windows
15
Detections
2
Sources
2
Threat Actors

BY SOURCE

9elastic6splunk_escu

PROCEDURES (12)

Child Process3 detections

Auto-extracted: 3 detections for child process

Network Connection Monitoring2 detections

Auto-extracted: 2 detections for network connection monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Persist1 detections

Auto-extracted: 1 detections for persist

Remote1 detections

Auto-extracted: 1 detections for remote

Privilege1 detections

Auto-extracted: 1 detections for privilege

Bypass1 detections

Auto-extracted: 1 detections for bypass

Download1 detections

Auto-extracted: 1 detections for download

Privilege1 detections

Auto-extracted: 1 detections for privilege

Remote1 detections

Auto-extracted: 1 detections for remote

Persist1 detections

Auto-extracted: 1 detections for persist

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

THREAT ACTORS (2)

menuPassMustang Panda

DETECTIONS (15)

Delayed Execution via Ping
elasticlow
Execution from Unusual Directory - Command Line
elasticmedium
Execution of Persistent Suspicious Program
elasticmedium
InstallUtil Process Making Network Connections
elasticmedium
Suspicious JetBrains TeamCity Child Process
elasticmedium
Suspicious MS Office Child Process
elasticmedium
Suspicious MS Outlook Child Process
elasticlow
Suspicious PDF Reader Child Process
elasticlow
Unusual Network Activity from a Windows System Binary
elasticmedium
Windows DotNet Binary in Non Standard Path
splunk_escu
Windows InstallUtil Credential Theft
splunk_escu
Windows InstallUtil in Non Standard Path
splunk_escu
Windows InstallUtil Remote Network Connection
splunk_escu
Windows InstallUtil Uninstall Option
splunk_escu
Windows InstallUtil URL in Command Line
splunk_escu