Microsoft (R).NET Framework Installation utility Version 4.0.30319.17929
3
Copyright (C) Microsoft Corporation. All rights reserved.
4
​
5
Hello From Uninstall...I carry out the real work...
Copied!
Enjoy the sweet reverse shell:
Observations
Look for InstallUtil processes that have established connections, especially those with cmd or powershell processes running as children - you should treat them as suspicious and investigate the endpoint closer:
A very primitive query in kibana allowing to find events where InstallUtil spawns cmd:
csc.exe created a temp.exe which contains the reverse shell payload
What is interesting is that I could not see an established network connection logged in sysmon logs, although I could see other network connections from the victim machine being logged.
Will be coming back to this one for further inspection - possibly related to sysmon configuration.