Details

• ID: CM0132
• Version: 1.0
• Created: 14 March 2025
• Modified: 14 March 2025
• Type: Disable, Examine
• Status: Active

Intended Outcome

Disabling or restricting InstallUtil prevents an adversary's attempts at defense evasion and application control evasion using InstallUtil.

Introduction

InstallUtil is a commandline tool that allows administrators to install or uninstall server resources via installer components of various assemblies. The tool is automatically installed with Visual Studio, but can be used independently from the commandline. Adversaries can use the utility to bypass application control and evade defenses: since InstallUtil is a Microsoft-signed binary, it can be used to install executables that would otherwise get blocked by Applocker policies. The Metasploit framework also has specific modules for Applocker bypass by abusing the InstallUtil binary.

Preparation

• Identify if and how InstallUtil is used in the environment and what impacts restricting or disabling it would have on business operations.
• Identify if Visual Studio is used in the environment.

Risks

• InstallUtil may be used for business operations, in which case disabling it would be detrimental. Consider restricting and monitoring the tool instead.
• Disabling or restricting InstallUtil may limit Visual Studio functionality.
• Moving or renaming InstallUtil may evade detection or Applocker and Windows Defender Application Control (WDAC) policies. Consider creating several kinds of rules (e.g. hash and path) to mitigate this risk.

Guidance

Restrict InstallUtil

• Restrict use of InstallUtil (or Visual Studio as well) to users or groups that require it for their jobs.
• If the binary is registered in the Microsoft Entra tenant, navigate to `Identity > Applications > Enterprise Applications > All applications` in the Microsoft Entra admin center.
• Select InstallUtil or Visual Studio.
• On the application's Overview page, navigate to `Manage > Properties` and enable the `Assignment required?` setting.
• under `Manage`, navigate to `Users and groups > Add user/group > Users`.
• Select `None selected` and add users from the selector pane that opens. Select `Assign` to complete assignment.

Monitor InstallUtil

• Monitor for process calls to `installutil` by reviewing 'process creation' event logs that are generated by Windows Event Log (ID 4688).
• Monitor for creation of files with InstallLog and InstallState extensions, since they show that an assembly was installed with InstallUtil.
• Monitor changes or calls to the `C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe` and `C:\Windows\Microsoft.NET\Framework64\v\InstallUtil.exe` files.
• Monitor any network connections made by the InstallUtil process.

Remove via Applocker

• Implement Applocker's default allow rules regarding executables.
• In the Group Policy Management Console (GPMC) navigate to `Security Settings > Application Control Policies > AppLocker > Executable Rules`.
• Select `Executable Rules` and enable `Create Default Rules`.
• Define a deny rule for `InstallUtil.exe`.
• Alternatively, block file path locations of the InstallUtil.exe executable.

Remove via Windows Defender Application Control

WDAC can be configured for both allow and deny policies based on organizational needs. When creating deny policies, Microsoft requires the inclusion of "Allow All" rules in both kernel and user mode sections to avoid blocking all software (some explicitly and some implicitly, since there are no rules to allow it). Microsoft provides an AllowAll policy template. This template will not affect any explicit allow rules already in place. Policies can be created using PowerShell or via the WDAC wizard.

Rule Type	PowerShell Command
Software Publisher-based	`$DenyRules += New-CIPolicyRule -Level FilePublisher -DriverFilePath InstallUtil.exe -Fallback SignedVersion,Publisher,Hash -Deny`
Software attribute-based	`$DenyRules += New-CIPolicyRule -Level FileName -DriverFilePath InstallUtil.exe -Fallback Hash -Deny`
Hash-based	`$DenyRules += New-CIPolicyRule -Level Hash -DriverFilePath InstallUtil.exe -Deny`

Merge the deny rules with the AllowAll template policy:

$DenyPolicy = <path_to_deny_policy_destination> $AllowAllPolicy = $Env:windir + "\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml" Merge-CIPolicy -PolicyPaths $AllowAllPolicy -OutputFilePath $DenyPolicy -Rules $DenyRules Set-CiPolicyIdInfo -FilePath $DenyPolicy -PolicyName "Deny InstallUtil" -ResetPolicyID

Deploy WDAC policies:

• Convert XML policy into binary. An example PowerShell command to do so is listed below. Ensure that the `$WDACPolicyXMLFile` variable points to the location of the XML policy file.

## Update the path to your WDAC policy XML $WDACPolicyXMLFile = $env:USERPROFILE + "\Desktop\MyWDACPolicy.xml" [xml]$WDACPolicy = Get-Content -Path $WDACPolicyXMLFile if (($WDACPolicy.SiPolicy.PolicyID) -ne $null) ## Multiple policy format (For Windows builds 1903+ only, including Server 2022) { $PolicyID = $WDACPolicy.SiPolicy.PolicyID $PolicyBinary = $PolicyID+".cip" } else ## Single policy format (Windows Server 2016 and 2019, and Windows 10 1809 LTSC) { $PolicyBinary = "SiPolicy.p7b" } ## Binary file will be written to your desktop ConvertFrom-CIPolicy -XmlFilePath $WDACPolicyXMLFile -BinaryFilePath $env:USERPROFILE\Desktop\$PolicyBinary

Deployment can vary depending on the version of Windows a client is running and whether it is a server or workstation.

• For Windows 11 22H2 and above:
• Use the CiTool to apply policies.
• For Windows 11, Windows 10 version 1903 and above, Windows Server 2022 and above:
• Initialize variables.
• Copy the policy binary to the destination folder.
• Run RefreshPolicy.exe to activate and refresh policies on a managed endpoint.
• All other versions of Windows and Windows Server:
• Initialize variables.
• Copy policy binary to destination folder.
• Activate and refresh policies using Windows Management Interface (WMI).

References

• Installutil.exe (Installer tool) | https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool
• InstallUtil Process Making Network Connections | https://www.elastic.co/guide/en/security/current/installutil-process-making-network-connections.html
• Restrict a Microsoft Entra app to a set of users | https://learn.microsoft.com/en-us/entra/identity-platform/howto-restrict-your-app-to-a-set-of-users