File Download Via InstallUtil.EXE

Aug 12, 2024 · attack.defense-evasion attack.t1218 ·

Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE"

Sigma rule (View on GitHub)

 1title: File Download Via InstallUtil.EXE
 2id: 75edd216-1939-4c73-8d61-7f3a0d85b5cc
 3status: test
 4description: |
 5        Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\"
 6references:
 7    - https://github.com/LOLBAS-Project/LOLBAS/pull/239
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022-08-19
10modified: 2023-11-09
11tags:
12    - attack.defense-evasion
13    - attack.t1218
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_img:
19        - Image|endswith: '\InstallUtil.exe'
20        - OriginalFileName: 'InstallUtil.exe'
21    selection_cli:
22        CommandLine|contains:
23            - 'ftp://'
24            - 'http://'
25            - 'https://'
26    condition: all of selection_*
27falsepositives:
28    - Unknown
29level: medium

References

Edit existing binaries with download functionality by C-h4ck-0 · Pull Request #239 · LOLBAS-Project/LOLBAS

ConfigSecurityPolicy.exe InstallUtil.exe Mshta.exe Presentationhost.exe

Read More

File Download Via InstallUtil.EXE

Sigma rule (View on GitHub)

References

Edit existing binaries with download functionality by C-h4ck-0 · Pull Request #239 · LOLBAS-Project/LOLBAS

Related rules