title: InstallUtil (T1218.004)
id: df00tech-t1218-004
status: experimental
description: "Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. The InstallUtil binary is digitally signed by Microsoft and located in the .NET directories. InstallUtil may also bypass application control by using the [System.ComponentModel.RunInstaller(true)] attribute decorator pattern. Known users of this technique include Mustang Panda (Beacon stager), WhisperGate (Windows Defender disable), Chaes malware, Saint Bot, and the Covenant C2 framework."
references:
  - https://attack.mitre.org/techniques/T1218/004/
  - https://df00tech.com/detections/T1218.004
author: df00tech
date: 2026/04/13
tags:
  - attack.t1218.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate .NET software installers that use InstallUtil.exe to register Windows services or COM components during installation
  - Software development teams running InstallUtil to install or uninstall custom .NET components during testing
  - "IT deployment tools (SCCM, PDQ Deploy) using InstallUtil to deploy .NET-based applications"
  - Windows Setup and update processes that invoke InstallUtil for framework component registration
level: high