Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1218.004: InstallUtil

Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. [1] The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe and C:\Windows\Microsoft.NET\Framework64\v\InstallUtil.exe.

InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. [2]

EnterpriseT1218.004Sub-techniqueObject v3.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

InstallUtil matters because it is a legitimate Microsoft .NET utility that can be used to run code through a trusted Windows binary. For leaders, the risk is not the tool itself but the control gap it can reveal: defenses that trust signed system utilities too broadly may miss malicious or unauthorized .NET execution used for stealth.

Executive priority

Prioritize this as a Windows execution-control and monitoring validation item. Ask whether application control policies, SOC detections, and incident response playbooks distinguish normal administrative InstallUtil use from unusual execution of .NET binaries. This is especially relevant for audit evidence around execution prevention and for reducing blind spots in trusted-binary abuse.

Technical view

ATT&CK lists InstallUtil as a Windows sub-technique of System Binary Proxy Execution under the stealth tactic. The key validation point is whether InstallUtil.exe execution from Microsoft .NET Framework or Framework64 paths is monitored with command-line context, parent process, child process, user, host, and target binary details. Because official ATT&CK detection text is not provided, teams should align local analytics to the related detection strategy DET0138 and test whether application control rules treat InstallUtil as a trusted utility without checking what it is asked to execute.

Likely telemetry

  • Windows process creation events for InstallUtil.exe
  • Full command-line arguments and executed .NET binary paths
  • Parent and child process relationships
  • Executable path, signer, and hash metadata
  • User, host, and privilege context

Detection direction

  • Baseline legitimate administrative or developer use of InstallUtil before alerting broadly.
  • Look for InstallUtil execution from expected .NET directories with unusual parent processes, users, hosts, or target binaries.
  • Tune for the system-binary-proxy-execution pattern rather than only the InstallUtil filename.
  • Correlate with DET0138 where available, since the ATT&CK object itself does not provide detection logic.
  • Account for false positives from software installation, uninstallation, build, or administration workflows.

Mitigation priorities

  • Use execution prevention controls, consistent with M1038, to restrict unauthorized code execution rather than trusting signed binaries unconditionally.
  • Review whether InstallUtil is required on production endpoints and servers; where unnecessary, consider disabling or removing the feature or program in line with M1042.
  • Validate application control policy behavior for Microsoft-signed utilities that can execute externally supplied content.
  • Document approved administrative use cases so SOC and audit teams can separate expected activity from suspicious use.
Analyst notes and limits

The relationship context shows use by multiple ATT&CK groups and software entries, but that should be treated as threat-intelligence relevance, not proof of current activity in any environment. The revoked predecessor T1118 maps into this sub-technique, so legacy detection content may need updating to T1218.004.

Official ATT&CK detection guidance is not provided for this object. Local conclusions require environment-specific evidence about where InstallUtil exists, whether it is needed, what telemetry is collected, and how application control policies are enforced.

Official MITRE ATT&CK definition

InstallUtil

Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. [1] The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe and C:\Windows\Microsoft.NET\Framework64\v\InstallUtil.exe.

InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. [2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1118 InstallUtil InstallUtil revoked by this object.
Enterprise T1218 System Binary Proxy Execution This object subtechnique of System Binary Proxy Execution.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0129: Mustang Panda

Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]

Group Enterprise

G0045: menuPass

menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.[1][2]

menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.[3][4][5][6][7][1][2]

Malware Enterprise

S0631: Chaes

Chaes is a multistage information stealer written in several programming languages that collects login credentials, credit card numbers, and other financial information. Chaes was first observed in 2020, and appears to primarily target victims in Brazil as well as other e-commerce customers in Latin America.[1]

Windows
Malware Enterprise

S0689: WhisperGate

WhisperGate is a multi-stage wiper designed to look like ransomware that has been used against multiple government, non-profit, and information technology organizations in Ukraine since at least January 2022.[1][2][3]

Windows
Tool Enterprise

S1155: Covenant

Covenant is a multi-platform command and control framework written in .NET. While designed for penetration testing and security research, the tool has also been used by threat actors such as HAFNIUM during operations. Covenant functions through a central listener managing multiple deployed "Grunts" that communicate back to the controller.[1][2]

LinuxmacOSWindows
Relationship explorer

All related ATT&CK context

revoked by · Technique T1118: InstallUtil Enterprise mitigates · Mitigation M1038: Execution Prevention Enterprise uses · Malware S0631: Chaes Enterprise uses · Group G0129: Mustang Panda Enterprise uses · Malware S0689: WhisperGate Enterprise uses · Tool S1155: Covenant Enterprise subtechnique of · Technique T1218: System Binary Proxy Execution Enterprise uses · Group G0045: menuPass Enterprise mitigates · Mitigation M1042: Disable or Remove Feature or Program Enterprise detects · Detection Strategy DET0138: Detection of Malicious Code Execution via InstallUtil.exe Enterprise uses · Malware S1018: Saint Bot Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1038: Execution Prevention

Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures:

Application Control:

- Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution. - Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml"`)

Script Blocking:

- Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources. - Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., `Set-ExecutionPolicy AllSigned`)

Executable Blocking:

- Use Case: Prevent execution of binaries from suspicious locations, such as `%TEMP%` or `%APPDATA%` directories. - Implementation: Block execution of `.exe`, `.bat`, or `.ps1` files from user-writable directories.

Dynamic Analysis Prevention: - Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time. - Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.

Mitigation Enterprise

M1042: Disable or Remove Feature or Program

Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled. This mitigation can be implemented through the following measures:

Remove Legacy Software:

- Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash). - Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.

Disable Unused Features:

- Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required. - Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.

Control Applications Installed by Users:

- Use Case: Prevent users from installing unauthorized software via group policies or other management tools. - Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.

Remove Unnecessary Services:

- Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices. - Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.

Restrict Add-ons and Plugins:

- Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes. - Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
3.0
Created
Modified
Raw hash
489bd2c5a357809f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 3.0 Current bundle 489bd2c5a357…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    MSDN InstallUtil

    Microsoft. (n.d.). Installutil.exe (Installer Tool). Retrieved July 1, 2016.

    Open source URL
  2. [2]
    LOLBAS Installutil

    LOLBAS. (n.d.). Installutil.exe. Retrieved July 31, 2019.

    Open source URL
  3. [3]
    mitre-attack T1218.004
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use