InstallUtil.exe

• File Path: C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
• Description: .NET Framework installation utility
• Comments: Flavor=Retail

Hashes

Type	Hash
MD5	3C94B02364BA067E6C181191A5273824
SHA1	A44D2D25E0C36BEE0FD319F4B990A67D8C34E852
SHA256	56763F94D6998304D137F5C202FB2147DA5F14A39F318C68A810FC351701486F
SHA384	26C7802795A800C06815B1C176D8B9A44AC73D905F5823519FF403C9944ABA37302DB1B87448D5718BF3AA19C3008C82
SHA512	4B8BBCD2C0105170142A2B1F74569FAC542180953BDE7BDC7625C4D17E860CBFCB818A6813AEDFF39FE6E13BD71CFD5E3B3187B984E81532A6ED5998BAB89CB9
SSDEEP	384:GtpFVLK0MsihB9VKS7xdg8YKJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+LPZTn:qBMs2Sqd/b6Iq8HOshcWEu4Y
IMP	F34D5F2D4577ED6D9CEEC516C1F5A744
PESHA1	4981ADA46DEE754DD1DABD89D38BD3D92FCFF11A
PE256	D008500E7D33BEA5D52E57197A214BF5452E03E61027068E55008B91E601649A

Runtime Data

Usage (stdout):

Microsoft (R) .NET Framework Installation utility Version 4.8.4161.0
Copyright (C) Microsoft Corporation.  All rights reserved.

Usage: InstallUtil [/u | /uninstall] [option [...]] assembly [[option [...]] assembly] [...]]

InstallUtil executes the installers in each given assembly.
If the /u or /uninstall switch is specified, it uninstalls
the assemblies, otherwise it installs them. Unlike other
options, /u applies to all assemblies, regardless of where it
appears on the command line.

Installation is done in a transactioned way: If one of the
assemblies fails to install, the installations of all other
assemblies are rolled back. Uninstall is not transactioned.

Options take the form /switch=[value]. Any option that occurs
before the name of an assembly will apply to that assembly's
installation. Options are cumulative but overridable - options
specified for one assembly will apply to the next as well unless
the option is specified with a new value. The default for all
options is empty or false unless otherwise specified.

Options recognized:

Options for installing any assembly:
/AssemblyName
 The assembly parameter will be interpreted as an assembly name (Name,
 Locale, PublicKeyToken, Version). The default is to interpret the
 assembly parameter as the filename of the assembly on disk.

/LogFile=[filename]
 File to write progress to. If empty, do not write log. Default
 is <assemblyname>.InstallLog

/LogToConsole={true|false}
 If false, suppresses output to the console.

/ShowCallStack
 If an exception occurs at any point during installation, the call
 stack will be printed to the log.

/InstallStateDir=[directoryname]
 Directory in which the .InstallState file will be stored. Default
 is the directory of the assembly.


Individual installers used within an assembly may recognize other
options. To learn about these options, run InstallUtil with the paths
of the assemblies on the command line along with the /? or /help option.

Loaded Modules:

Path
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll

Signature

• Status: Signature verified.
• Serial: 33000002ED2C45E4C145CF48440000000002ED
• Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
• Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
• Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

• Original Filename: InstallUtil.exe
• Product Name: Microsoft .NET Framework
• Company Name: Microsoft Corporation
• File Version: 4.8.4161.0 built by: NET48REL1
• Product Version: 4.8.4161.0
• Language: English (United States)
• Legal Copyright: Microsoft Corporation. All rights reserved.
• Machine Type: 32-bit

File Scan

• VirusTotal Detections: 0/74
• VirusTotal Link: https://www.virustotal.com/gui/file/56763f94d6998304d137f5c202fb2147da5f14a39f318c68a810fc351701486f/detection

File Similarity (ssdeep match)

File	Score
C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\StoreAdm.exe	66
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\System.Web.ApplicationServices.dll	46
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework.NETFramework\v4.8\System.Web.DynamicData.Design.dll	61
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe	65
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe	65
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	68
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	68
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe	65
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe	65
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	66
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	65
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	93
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe	65
C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe	65
C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	68
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	68
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe	65
C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe	65
C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe	65
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe	63
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	88
C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	91

Possible Misuse

The following table contains possible examples of InstallUtil.exe being misused. While InstallUtil.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	sysmon_suspicious_remote_thread.yml	- '\installutil.exe'	DRL 1.0
sigma	proc_creation_win_possible_applocker_bypass.yml	- '\installutil.exe'	DRL 1.0
sigma	proc_creation_win_possible_applocker_bypass.yml	- Using installutil to add features for .NET applications (primarily would occur in developer environments)	DRL 1.0
sigma	proc_creation_win_susp_instalutil.yml	title: Suspicious Execution of InstallUtil Without Log	DRL 1.0
sigma	proc_creation_win_susp_instalutil.yml	description: Uses the .NET InstallUtil.exe application in order to execute image without log	DRL 1.0
sigma	proc_creation_win_susp_instalutil.yml	- https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool	DRL 1.0
sigma	proc_creation_win_susp_instalutil.yml	Image\|endswith: \InstallUtil.exe	DRL 1.0
LOLBAS	Installutil.yml	Name: Installutil.exe
LOLBAS	Installutil.yml	- Command: InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
LOLBAS	Installutil.yml	- Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
LOLBAS	Installutil.yml	- Path: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe
LOLBAS	Installutil.yml	- Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
LOLBAS	Installutil.yml	- Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
LOLBAS	Installutil.yml	- Link: https://pentestlab.blog/2017/05/08/applocker-bypass-installutil/
LOLBAS	Installutil.yml	- Link: https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool
malware-ioc	sparklinggoblin	==== InstallUtil-based .NET loader used to decrypt and load SideWalk	© ESET 2014-2018
malware-ioc	sparklinggoblin	==== InstallUtil-based .NET loader used to decrypt and load Cobalt Strike	© ESET 2014-2018
malware-ioc	sparklinggoblin	\|T1218.004\|Signed Binary Proxy Execution: InstallUtil	© ESET 2014-2018
atomic-red-team	index.md	- T1218.004 InstallUtil	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #3: InstallUtil class constructor method call [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #4: InstallUtil Install method call [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #6: InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #7: InstallUtil HelpText method call [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #8: InstallUtil evasive invocation [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- T1218.004 InstallUtil	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #3: InstallUtil class constructor method call [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #4: InstallUtil Install method call [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #6: InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #7: InstallUtil HelpText method call [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #8: InstallUtil evasive invocation [windows]	MIT License. © 2018 Red Canary
atomic-red-team	matrix.md	| | | Path Interception by Search Order Hijacking CONTRIBUTE A TEST | RC Scripts | InstallUtil | | | | | | | |	MIT License. © 2018 Red Canary
atomic-red-team	windows-matrix.md	| | | Path Interception by Unquoted Path | Registry Run Keys / Startup Folder | InstallUtil | | | | | | | |	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	# T1218.004 - InstallUtil	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	<blockquote>Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe</code> and C:\Windows\Microsoft.NET\Framework64\v\InstallUtil.exe</code>.	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. (Citation: LOLBAS Installutil)</blockquote>	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	- Atomic Test #3 - InstallUtil class constructor method call	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	- Atomic Test #4 - InstallUtil Install method call	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	- Atomic Test #5 - InstallUtil Uninstall method call - /U variant	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	- Atomic Test #6 - InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	- Atomic Test #7 - InstallUtil HelpText method call	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	- Atomic Test #8 - InstallUtil evasive invocation	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	Executes the CheckIfInstallable class constructor runner instead of executing InstallUtil. Upon execution, the InstallUtil test harness will be executed.	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | CheckIfInstallable|	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	Executes the InstallHelper class constructor runner instead of executing InstallUtil. Upon execution, no output will be displayed if the test	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | InstallHelper|	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	## Atomic Test #3 - InstallUtil class constructor method call	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | Executable|	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	InstallUtil class constructor execution test failure. Installer assembly execution output did not match the expected output.	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	## Atomic Test #4 - InstallUtil Install method call	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	InstallUtil Install method execution test failure. Installer assembly execution output did not match the expected output.	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	## Atomic Test #5 - InstallUtil Uninstall method call - /U variant	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	## Atomic Test #6 - InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	## Atomic Test #7 - InstallUtil HelpText method call	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	Executes the Uninstall Method. Upon execution, help information will be displayed for InstallUtil.	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	InstallUtil HelpText property execution test failure. Installer assembly execution output did not match the expected output.	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	## Atomic Test #8 - InstallUtil evasive invocation	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	Executes an InstallUtil assembly by renaming InstallUtil.exe and using a nonstandard extension for the assembly. Upon execution, “Running a transacted installation.”	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	Copy-Item -Path “$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())InstallUtil.exe” -Destination “$Env:windir\System32\Tasks\notepad.exe”	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	Evasive Installutil invocation test failure. Installer assembly execution output did not match the expected output.	MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.