Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. The InstallUtil binary may also be digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe and …

Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary that may be signed by Microsoft and is used in several ways in either its GUI or in a command prompt. MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These …

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions …

As per Microsoft's documentation, BlockInput function "prevents keyboard and mouse input events from reaching applications," effectively restricting user interaction with the system.

Malware occasionally employs this tactic to hinder analysis by debuggers or other analysis tools throughout the process' runtime. To deactivate the block, the program must make a live call to BlockInput with the parameter 0. Windows automatically …

A lolbin (short for "Living Off the Land Binaries") is a legitimate Windows utility that can be used by adversaries to execute arbitrary commands. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, the Program Compatibility Assistant (pcalua.exe) and components of the Windows Subsystem for Linux (WSL) are examples of lolbins that can be …