InstallUtil

InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. InstallUtil is located in the .NET directory on a Windows system and is digitally signed by Microsoft. Adversaries may use InstallUtil to proxy execution of code through this trusted Windows utility. InstallUtil may also be used to bypass process whitelisting through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. You can read more about this attacker technique at https://attack.mitre.org/wiki/Technique/T1118.

The legitimate use of InstallUtil.exe makes detecting its malicious use more difficult. A network defense team would be quickly overrun attempting to triage every execution of InstallUtil.exe. However, the Veramine detection engine reports instances where InstallUtil.exe exhibits suspicious image load patterns often associate with malicious usage. This detection mechanism is not foolproof as legitimate usage sometimes exhibits similar image load patterns. However, we have found that this rules detection algorithm detects the majority of malicious InstallUtil.exe usage and filters out almost all the noise from legitimate InstallUtil.exe executions. Here's an example detection:

Of course, all the other Veramine detection engine rules continue to operate on InstallUtil.exe processes as well. Further confidence can be gained in the suspiciousness of a particular InstallUtil.exe instance when multiple different Veramine detection rules flag it as suspicious. In the case of this particular example, the simulated attacker ran InstallUtil.exe passing in an unsigned DLL in the current working directory, triggering the Veramine DLL sideloading detection algorithm: