Discover and read the best of Twitter Threads about #installutil

Most recents (2)

Always nice when a payload has robust documentation.
This one details the exact bypasses implemented.

Version control shows 2016 @Cneelis method replaced with that @_RastaMouse new new.

πŸ‘‰πŸ½ "Program.cs" #InstallUtil payload with 0 VT detections btw: virustotal.com/gui/file/9193b… ImageImage
@Cneelis @_RastaMouse Uploaded 4 hours ago. (πŸ†•)
0/60 static detections is *sorta* expected - it'd be interesting to see how security tech performs when this is loaded by #InstallUtil - should be caught then.

Anyway, great payload comments! [more pictured] ImageImage
The #InstallUtil payload is contained within a parent archive β€œPSByPassCLM-master.zip”

#DFIR tip: look out for β€œ-master” in your file names & PDB paths. You’re often one last hop away from Githubtribution 😁

πŸ‘‹This one belonged @padovah4ck 2018 project: github.com/padovah4ck/PSB…
Read 4 tweets
#InstallUtil payloads are still very popular for code execution and app whitelisting bypass.

Here's a fresh sample with a #GRUNT payload: "compliancesignature.cs"
MD5: f55c0c165f30df6d92fbb50bf7688dc5
virustotal.com/gui/file/1db94…
0/59 static detections.
So I'll share some rules!
πŸ‘‡πŸ‘‡ ImageImage
Identify suspicious #InstallUtil code execution payloads with a syntax-based #Yara rule (gist.github.com/itsreallynick/…) from this thread () on a *pretty damn similar* sample 🧐

Also look closely at both samples' embedded PE information (Original/InternalName) πŸ˜‰ Image
πŸ‘‹ hello @rapid7 red team btw

Or as I know you, #UNC1769.
You all do some really cool stuff. Keep it up! See you on the field!

Please try not to get as mad at me for putting some VT payloads on Twitter (like, no need to upload a bunch of aggressively-named files this time πŸ˜…)
Read 4 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!