InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is located in the .NET directories on a Windows system:C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exeandC:\Windows\Microsoft.NET\Framework64\v\InstallUtil.exe. InstallUtil.exe is digitally signed by Microsoft.Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil may also be used to bypass process whitelisting through use of attributes within the binary that execute the class decorated with the attribute
[System.ComponentModel.RunInstaller(true)]. (Citation: SubTee GitHub All The Things Application Whitelisting Bypass)
Executes the Uninstall Method
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| filename | location of the payload | Path | C:\AtomicRedTeam\atomics\T1118\src\T1118.dll |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:C:\AtomicRedTeam\atomics\T1118\src\T1118.dll C:\AtomicRedTeam\atomics\T1118\src\T1118.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{filename}
Executes the Uninstall Method
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| filename | location of the payload | Path | C:\AtomicRedTeam\atomics\T1118\src\T1118.dll |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:C:\AtomicRedTeam\atomics\T1118\src\T1118.dll C:\AtomicRedTeam\atomics\T1118\src\T1118.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? #{filename}