Process

unknown

installutil.exe

installutil.exe is the .NET Framework Installer tool, meant to run the installer components inside a .NET assembly. Administrators and installers use it to register services and components. Attackers use it to execute a malicious assembly through a signed Microsoft binary while bypassing application control.

CategoryUtilityTagsmicrosoftcore-windowslolbin

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

LOLBAS3
  • InstallUtil.exe /logfile= /LogToConsole=false /U {PATH:.dll}AWL Bypass · Use to execute code and bypass application whitelisting
  • InstallUtil.exe /logfile= /LogToConsole=false /U {PATH:.dll}Execute · Use to execute code and bypass application whitelisting
  • InstallUtil.exe {REMOTEURL}Download · Downloads payload from remote server

View LOLBAS entry

Indicators

Hashes

Not observed.

Analysis

About this process

installutil.exe installs and uninstalls server resources by running the installer classes inside a .NET assembly. The relevant detail for triage is that it invokes code in the target assembly, specifically methods marked for install or, in the abuse case, an [Obsolete]-style uninstall path, so pointing it at an assembly runs that assembly's code. It ships with the .NET Framework, so the genuine binary lives under C:\Windows\Microsoft.NET\Framework and Framework64, not System32.

Legitimately, installutil is run by administrators and setup programs against real, installed components. The assembly it is pointed at and where that assembly lives are what give an instance meaning.

Security notes

installutil.exe is a system-binary proxy (T1218.004). Because it runs the installer (and uninstaller) code inside a .NET assembly, an attacker crafts an assembly whose payload lives in that code and runs installutil /u evil.dll (or the install path) to have the signed Microsoft tool execute it. This bypasses application-control rules that trust Microsoft binaries and keeps the payload in a DLL rather than a flagged executable.

Both the binary and the operation are legitimate, so the context is what matters: the assembly path, the parent, and whether the host has any reason to be installing components. An assembly loaded from a temp or download folder, or installutil launched by an Office process, points to abuse.

Anomaly signals4
  • Running an assembly from a user-writable path (Temp, AppData, Downloads)high
  • Parent is an Office application, a script host, cmd.exe, or powershell.exehigh
  • Outbound network connections or child processes from installutilhigh
  • Running on a host with no software-installation activitymed

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof installutil.exe?
Edit this page on GitHub