valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 17:45:23 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
9b87010e92
atomic-threat-coverage/Atomic_Threat_Coverage/Triggers/T1118.md
yugoslavskiy f79f50bec3 changed directories names
2019-02-12 04:55:11 +01:00

1.6 KiB
Raw Blame History

T1118 - InstallUtil

Description from ATT&CK

InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe and C:\Windows\Microsoft.NET\Framework64\v\InstallUtil.exe. InstallUtil.exe is digitally signed by Microsoft.

Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil may also be used to bypass process whitelisting through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. (Citation: SubTee GitHub All The Things Application Whitelisting Bypass)

Atomic Tests


Atomic Test #1 - InstallUtil uninstall method call

Executes the Uninstall Method

Supported Platforms: Windows

Inputs

Name Description Type Default Value
filename location of the payload Path T1118.dll

Run it with command_prompt!

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library T1118.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{filename}