T1218.004: T1218.004

Essential information

MITRE technique ID: T1218.004
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:37
Modified: 29/04/2026 12:14
Author / Source: The MITRE Corporation

Aliases

InstallUtil

Platforms

windows

Description

Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: `C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe` and `C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe`. InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute `[System.ComponentModel.RunInstaller(true)]`. (Citation: LOLBAS Installutil)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

Related entities

REF4526 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 22:37 · Modified 20/12/2025 22:37
SnakeKeylogger uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 13:02 · Modified 21/12/2025 13:02
APT41 uses Wicked PandaBrass Typhoon

The MITRE Corporation Confidence 100

[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed …

First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
MUSTANG PANDA uses BRONZE PRESIDENTSTATELY TAURUS

The MITRE Corporation Confidence 100

[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures …

First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 22/05/2026 04:12
menuPass uses CicadaPOTASSIUM

The MITRE Corporation Confidence 100

[menuPass](https://attack.mitre.org/groups/G0045) is a threat group that has been active since at least 2006. Individual members of [menuPass](https://attack.mitre.org/groups/G0045) are known to have acted in association with the Chinese Ministry …

First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13

SnakeKeylogger uses

Family

Published 24/04/2025 13:40 · Modified 24/04/2025 13:40
LimeRAT uses

Family

Published 26/08/2025 15:21 · Modified 26/08/2025 15:21
Cobalt Strike - S0154 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:39 · Modified 27/05/2026 21:40
Saint Bot
NJRat uses

Family

Published 05/03/2025 11:12 · Modified 05/03/2025 11:12
Chaes
StealthMutant
ScrambleCross
VenomRAT uses

Family

Published 03/06/2026 13:18 · Modified 03/06/2026 13:18
StealthVector uses

Family

Published 09/08/2024 20:15 · Modified 09/08/2024 20:15
WhisperGate uses

Family

Published 09/09/2024 08:02 · Modified 09/09/2024 08:02
YIPPHB

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (5)

Malware (13)

Reports (4)

Vulnerabilities (CVE) (2)

Attack patterns (MITRE) (1)

Tool (1)

Course Of Action (2)