CircleCI Atomic Red Team doc generator
2.4 KiB
2.4 KiB
T1118 - InstallUtil
Description from ATT&CK
InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is located in the .NET directories on a Windows system:C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exeandC:\Windows\Microsoft.NET\Framework64\v\InstallUtil.exe. InstallUtil.exe is digitally signed by Microsoft.Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil may also be used to bypass process whitelisting through use of attributes within the binary that execute the class decorated with the attribute
[System.ComponentModel.RunInstaller(true)]. (Citation: LOLBAS Installutil)
Atomic Tests
Atomic Test #1 - InstallUtil uninstall method call
Executes the Uninstall Method
Supported Platforms: Windows
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| filename | location of the payload | Path | C:\AtomicRedTeam\atomics\T1118\src\T1118.dll |
Run it with command_prompt!
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:C:\AtomicRedTeam\atomics\T1118\src\T1118.dll C:\AtomicRedTeam\atomics\T1118\src\T1118.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{filename}
Atomic Test #2 - InstallUtil GetHelp method call
Executes the Uninstall Method
Supported Platforms: Windows
Inputs
| Name | Description | Type | Default Value |
|---|---|---|---|
| filename | location of the payload | Path | C:\AtomicRedTeam\atomics\T1118\src\T1118.dll |
Run it with command_prompt!
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:C:\AtomicRedTeam\atomics\T1118\src\T1118.dll C:\AtomicRedTeam\atomics\T1118\src\T1118.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? #{filename}