TIARAS - T1218.004: InstallUtil

MITRE ATT&CK Technique

Defense Evasion T1218.004

Description

Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe</code>. InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute <code>[System.ComponentModel.RunInstaller(true)]</code>. (Citation: LOLBAS Installutil)

Supported Platforms

Windows

Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data

{'created': '2020-01-23T19:09:48.811Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may use InstallUtil to proxy execution of code '
                'through a trusted Windows utility. InstallUtil is a '
                'command-line utility that allows for installation and '
                'uninstallation of resources by executing specific installer '
                'components specified in .NET binaries. (Citation: MSDN '
                'InstallUtil) The InstallUtil binary may also be digitally '
                'signed by Microsoft and located in the .NET directories on a '
                'Windows system: '
                '<code>C:\\Windows\\Microsoft.NET\\Framework\\v<version>\\InstallUtil.exe</code> '
                'and '
                '<code>C:\\Windows\\Microsoft.NET\\Framework64\\v<version>\\InstallUtil.exe</code>.\n'
                '\n'
                'InstallUtil may also be used to bypass application control '
                'through use of attributes within the binary that execute the '
                'class decorated with the attribute '
                '<code>[System.ComponentModel.RunInstaller(true)]</code>. '
                '(Citation: LOLBAS Installutil)',
 'external_references': [{'external_id': 'T1218.004',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1218/004'},
                         {'description': 'Microsoft. (n.d.). Installutil.exe '
                                         '(Installer Tool). Retrieved July 1, '
                                         '2016.',
                          'source_name': 'MSDN InstallUtil',
                          'url': 'https://msdn.microsoft.com/en-us/library/50614e95.aspx'},
                         {'description': 'LOLBAS. (n.d.). Installutil.exe. '
                                         'Retrieved July 31, 2019.',
                          'source_name': 'LOLBAS Installutil',
                          'url': 'https://lolbas-project.github.io/lolbas/Binaries/Installutil/'}],
 'id': 'attack-pattern--2cd950a6-16c4-404a-aa01-044322395107',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'defense-evasion'}],
 'modified': '2025-10-24T17:48:34.798Z',
 'name': 'InstallUtil',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Travis Smith, Tripwire', 'Casey Smith'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Windows'],
 'x_mitre_version': '2.1'}

Quick Actions

Edit TTP Update from Web

Related Threat Actors (2)

Mustang Panda
High

menuPass
High

Back to TTPs

Dashboard About