security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1118/T1118.md
T
CircleCI Atomic Red Team doc generator 91e86258e6 Generate docs from job=validate_atomics_generate_docs branch=master
2019-10-24 17:09:43 +00:00

58 lines
2.4 KiB
Markdown
Raw Blame History

# T1118 - InstallUtil
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1118)
<blockquote>InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe</code>. InstallUtil.exe is digitally signed by Microsoft.
Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil may also be used to bypass process whitelisting through use of attributes within the binary that execute the class decorated with the attribute <code>[System.ComponentModel.RunInstaller(true)]</code>. (Citation: LOLBAS Installutil)</blockquote>
## Atomic Tests
- [Atomic Test #1 - InstallUtil uninstall method call](#atomic-test-1---installutil-uninstall-method-call)
- [Atomic Test #2 - InstallUtil GetHelp method call](#atomic-test-2---installutil-gethelp-method-call)
<br/>
## Atomic Test #1 - InstallUtil uninstall method call
Executes the Uninstall Method
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| filename | location of the payload | Path | C:\AtomicRedTeam\atomics\T1118\src\T1118.dll|
#### Run it with `command_prompt`!
```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:C:\AtomicRedTeam\atomics\T1118\src\T1118.dll C:\AtomicRedTeam\atomics\T1118\src\T1118.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{filename}
```
<br/>
<br/>
## Atomic Test #2 - InstallUtil GetHelp method call
Executes the Uninstall Method
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| filename | location of the payload | Path | C:\AtomicRedTeam\atomics\T1118\src\T1118.dll|
#### Run it with `command_prompt`!
```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:C:\AtomicRedTeam\atomics\T1118\src\T1118.dll C:\AtomicRedTeam\atomics\T1118\src\T1118.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? #{filename}
```
<br/>
Reference in New Issue View Git Blame Copy Permalink