diff --git a/atomics/T1118/T1118.md b/atomics/T1118/T1118.md
index 544ffdf3..7d539d8c 100644
--- a/atomics/T1118/T1118.md
+++ b/atomics/T1118/T1118.md
@@ -6,14 +6,268 @@ Adversaries may use InstallUtil to proxy execution of code through a trusted Win
## Atomic Tests
-- [Atomic Test #1 - InstallUtil uninstall method call](#atomic-test-1---installutil-uninstall-method-call)
+- [Atomic Test #1 - CheckIfInstallable method call](#atomic-test-1---checkifinstallable-method-call)
-- [Atomic Test #2 - InstallUtil GetHelp method call](#atomic-test-2---installutil-gethelp-method-call)
+- [Atomic Test #2 - InstallHelper method call](#atomic-test-2---installhelper-method-call)
+
+- [Atomic Test #3 - InstallUtil class constructor method call](#atomic-test-3---installutil-class-constructor-method-call)
+
+- [Atomic Test #4 - InstallUtil Install method call](#atomic-test-4---installutil-install-method-call)
+
+- [Atomic Test #5 - InstallUtil Uninstall method call - /U variant](#atomic-test-5---installutil-uninstall-method-call---u-variant)
+
+- [Atomic Test #6 - InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant](#atomic-test-6---installutil-uninstall-method-call---installtypenotransaction-actionuninstall-variant)
+
+- [Atomic Test #7 - InstallUtil HelpText method call](#atomic-test-7---installutil-helptext-method-call)
+
+- [Atomic Test #8 - InstallUtil evasive invocation](#atomic-test-8---installutil-evasive-invocation)
-## Atomic Test #1 - InstallUtil uninstall method call
+## Atomic Test #1 - CheckIfInstallable method call
+Executes the CheckIfInstallable class constructor runner instead of executing InstallUtil.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1|
+| assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP\|
+| assembly_filename | filename of the compiled installer assembly | String | T1118.dll|
+| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | CheckIfInstallable|
+
+
+#### Attack Commands: Run with `powershell`!
+```
+# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+. #{test_harness}
+
+$InstallerAssemblyDir = "#{assembly_dir}"
+$InstallerAssemblyFileName = "#{assembly_filename}"
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+$ExpectedOutput = 'Constructor_'
+
+$TestArgs = @{
+ OutputAssemblyDirectory = $InstallerAssemblyDir
+ OutputAssemblyFileName = $InstallerAssemblyFileName
+ InvocationMethod = '#{invocation_method}'
+}
+
+$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
+
+if ($ActualOutput -ne $ExpectedOutput) {
+ throw @"
+CheckIfInstallable method execution test failure. Installer assembly execution output did not match the expected output.
+Expected: $ExpectedOutput
+Actual: $ActualOutput
+"@
+}
+```
+
+#### Cleanup Commands:
+```
+$InstallerAssemblyDir = "#{assembly_dir}"
+$InstallerAssemblyFileName = "#{assembly_filename}"
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+Remove-Item -Path $InstallerAssemblyFullPath
+```
+
+
+
+
+
+
+
+
+## Atomic Test #2 - InstallHelper method call
+Executes the InstallHelper class constructor runner instead of executing InstallUtil.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1|
+| assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP\|
+| assembly_filename | filename of the compiled installer assembly | String | T1118.dll|
+| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | InstallHelper|
+
+
+#### Attack Commands: Run with `powershell`!
+```
+# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+. #{test_harness}
+
+$InstallerAssemblyDir = "#{assembly_dir}"
+$InstallerAssemblyFileName = "#{assembly_filename}"
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+$CommandLine = "/logfile= /logtoconsole=false `"$InstallerAssemblyFullPath`""
+$ExpectedOutput = 'Constructor_'
+
+$TestArgs = @{
+ OutputAssemblyDirectory = $InstallerAssemblyDir
+ OutputAssemblyFileName = $InstallerAssemblyFileName
+ InvocationMethod = '#{invocation_method}'
+ CommandLine = $CommandLine
+}
+
+$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
+
+if ($ActualOutput -ne $ExpectedOutput) {
+ throw @"
+InstallHelper method execution test failure. Installer assembly execution output did not match the expected output.
+Expected: $ExpectedOutput
+Actual: $ActualOutput
+"@
+}
+```
+
+#### Cleanup Commands:
+```
+$InstallerAssemblyDir = "#{assembly_dir}"
+$InstallerAssemblyFileName = "#{assembly_filename}"
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+Remove-Item -Path $InstallerAssemblyFullPath
+```
+
+
+
+
+
+
+
+
+## Atomic Test #3 - InstallUtil class constructor method call
+Executes the installer assembly class constructor.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1|
+| assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP\|
+| assembly_filename | filename of the compiled installer assembly | String | T1118.dll|
+| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | Executable|
+
+
+#### Attack Commands: Run with `powershell`!
+```
+# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+. #{test_harness}
+
+$InstallerAssemblyDir = "#{assembly_dir}"
+$InstallerAssemblyFileName = "#{assembly_filename}"
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+$CommandLine = "/logfile= /logtoconsole=false `"$InstallerAssemblyFullPath`""
+$ExpectedOutput = 'Constructor_'
+
+$TestArgs = @{
+ OutputAssemblyDirectory = $InstallerAssemblyDir
+ OutputAssemblyFileName = $InstallerAssemblyFileName
+ InvocationMethod = '#{invocation_method}'
+ CommandLine = $CommandLine
+}
+
+$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
+
+if ($ActualOutput -ne $ExpectedOutput) {
+ throw @"
+InstallUtil class constructor execution test failure. Installer assembly execution output did not match the expected output.
+Expected: $ExpectedOutput
+Actual: $ActualOutput
+"@
+}
+```
+
+#### Cleanup Commands:
+```
+$InstallerAssemblyDir = "#{assembly_dir}"
+$InstallerAssemblyFileName = "#{assembly_filename}"
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+Remove-Item -Path $InstallerAssemblyFullPath
+```
+
+
+
+
+
+
+
+
+## Atomic Test #4 - InstallUtil Install method call
+Executes the Install Method
+
+**Supported Platforms:** Windows
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1|
+| assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP\|
+| assembly_filename | filename of the compiled installer assembly | String | T1118.dll|
+| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | Executable|
+
+
+#### Attack Commands: Run with `powershell`!
+```
+# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+. #{test_harness}
+
+$InstallerAssemblyDir = "#{assembly_dir}"
+$InstallerAssemblyFileName = "#{assembly_filename}"
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+$CommandLine = "/logfile= /logtoconsole=false /installtype=notransaction /action=install `"$InstallerAssemblyFullPath`""
+$ExpectedOutput = 'Constructor_Install_'
+
+$TestArgs = @{
+ OutputAssemblyDirectory = $InstallerAssemblyDir
+ OutputAssemblyFileName = $InstallerAssemblyFileName
+ InvocationMethod = '#{invocation_method}'
+ CommandLine = $CommandLine
+}
+
+$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
+
+if ($ActualOutput -ne $ExpectedOutput) {
+ throw @"
+InstallUtil Install method execution test failure. Installer assembly execution output did not match the expected output.
+Expected: $ExpectedOutput
+Actual: $ActualOutput
+"@
+}
+```
+
+#### Cleanup Commands:
+```
+$InstallerAssemblyDir = "#{assembly_dir}"
+$InstallerAssemblyFileName = "#{assembly_filename}"
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+Remove-Item -Path $InstallerAssemblyFullPath
+```
+
+
+
+
+
+
+
+
+## Atomic Test #5 - InstallUtil Uninstall method call - /U variant
Executes the Uninstall Method
**Supported Platforms:** Windows
@@ -22,41 +276,59 @@ Executes the Uninstall Method
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| output_file | location of the payload | Path | %tmp%\T1118.dll|
-| source | location of the source code to compile | Path | PathToAtomicsFolder\T1118\src\T1118.cs|
+| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1|
+| assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP\|
+| assembly_filename | filename of the compiled installer assembly | String | T1118.dll|
+| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | Executable|
-#### Attack Commands: Run with `command_prompt`!
+#### Attack Commands: Run with `powershell`!
```
-C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{output_file} #{source}
-C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{output_file}
+# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+. #{test_harness}
+
+$InstallerAssemblyDir = "#{assembly_dir}"
+$InstallerAssemblyFileName = "#{assembly_filename}"
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+$CommandLine = "/logfile= /logtoconsole=false /U `"$InstallerAssemblyFullPath`""
+$ExpectedOutput = 'Constructor_Uninstall_'
+
+$TestArgs = @{
+ OutputAssemblyDirectory = $InstallerAssemblyDir
+ OutputAssemblyFileName = $InstallerAssemblyFileName
+ InvocationMethod = '#{invocation_method}'
+ CommandLine = $CommandLine
+}
+
+$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
+
+if ($ActualOutput -ne $ExpectedOutput) {
+ throw @"
+InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.
+Expected: $ExpectedOutput
+Actual: $ActualOutput
+"@
+}
```
#### Cleanup Commands:
```
-del #{output_file} >nul 2>&1
+$InstallerAssemblyDir = "#{assembly_dir}"
+$InstallerAssemblyFileName = "#{assembly_filename}"
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+Remove-Item -Path $InstallerAssemblyFullPath
```
-#### Dependencies: Run with `powershell`!
-##### Description: Source code must exist on disk at specified location (#{source})
-##### Check Prereq Commands:
-```
-if (Test-Path #{source}) {exit 0} else {exit 1}
-```
-##### Get Prereq Commands:
-```
-New-Item -Type Directory (split-path #{source}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/T1118.cs" -OutFile "#{source}"
-```
-
-## Atomic Test #2 - InstallUtil GetHelp method call
+## Atomic Test #6 - InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant
Executes the Uninstall Method
**Supported Platforms:** Windows
@@ -65,34 +337,176 @@ Executes the Uninstall Method
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| output_file | location of the payload | Path | %tmp%\T1118.dll|
-| source | location of the source code to compile | Path | PathToAtomicsFolder\T1118\src\T1118.cs|
+| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1|
+| assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP\|
+| assembly_filename | filename of the compiled installer assembly | String | T1118.dll|
+| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | Executable|
-#### Attack Commands: Run with `command_prompt`!
+#### Attack Commands: Run with `powershell`!
```
-C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{output_file} #{source}
-C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? #{output_file}
+# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+. #{test_harness}
+
+$InstallerAssemblyDir = "#{assembly_dir}"
+$InstallerAssemblyFileName = "#{assembly_filename}"
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+$CommandLine = "/logfile= /logtoconsole=false /installtype=notransaction /action=uninstall `"$InstallerAssemblyFullPath`""
+$ExpectedOutput = 'Constructor_Uninstall_'
+
+$TestArgs = @{
+ OutputAssemblyDirectory = $InstallerAssemblyDir
+ OutputAssemblyFileName = $InstallerAssemblyFileName
+ InvocationMethod = '#{invocation_method}'
+ CommandLine = $CommandLine
+}
+
+$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
+
+if ($ActualOutput -ne $ExpectedOutput) {
+ throw @"
+InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.
+Expected: $ExpectedOutput
+Actual: $ActualOutput
+"@
+}
```
#### Cleanup Commands:
```
-del #{output_file} >nul 2>&1
+$InstallerAssemblyDir = "#{assembly_dir}"
+$InstallerAssemblyFileName = "#{assembly_filename}"
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+Remove-Item -Path $InstallerAssemblyFullPath
+```
+
+
+
+
+
+
+
+
+## Atomic Test #7 - InstallUtil HelpText method call
+Executes the Uninstall Method
+
+**Supported Platforms:** Windows
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1|
+| assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP\|
+| assembly_filename | filename of the compiled installer assembly | String | T1118.dll|
+| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | Executable|
+
+
+#### Attack Commands: Run with `powershell`!
+```
+# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+. #{test_harness}
+
+$InstallerAssemblyDir = "#{assembly_dir}"
+$InstallerAssemblyFileName = "#{assembly_filename}"
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+$CommandLine = "/? `"$InstallerAssemblyFullPath`""
+$ExpectedOutput = 'Constructor_HelpText_'
+
+$TestArgs = @{
+ OutputAssemblyDirectory = $InstallerAssemblyDir
+ OutputAssemblyFileName = $InstallerAssemblyFileName
+ InvocationMethod = '#{invocation_method}'
+ CommandLine = $CommandLine
+}
+
+$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
+
+if ($ActualOutput -ne $ExpectedOutput) {
+ throw @"
+InstallUtil HelpText property execution test failure. Installer assembly execution output did not match the expected output.
+Expected: $ExpectedOutput
+Actual: $ActualOutput
+"@
+}
+```
+
+#### Cleanup Commands:
+```
+$InstallerAssemblyDir = "#{assembly_dir}"
+$InstallerAssemblyFileName = "#{assembly_filename}"
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+Remove-Item -Path $InstallerAssemblyFullPath
+```
+
+
+
+
+
+
+
+
+## Atomic Test #8 - InstallUtil evasive invocation
+Executes an InstallUtil assembly by renaming InstallUtil.exe and using a nonstandard extension for the assembly.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1|
+
+
+#### Attack Commands: Run with `powershell`!
+```
+# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+. #{test_harness}
+
+$InstallerAssemblyDir = "$Env:windir\System32\Tasks"
+$InstallerAssemblyFileName = 'readme.txt'
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+$CommandLine = "readme.txt"
+$ExpectedOutput = 'Constructor_'
+
+# Explicitly set the directory so that a relative path to readme.txt can be supplied.
+Set-Location "$Env:windir\System32\Tasks"
+
+Copy-Item -Path "$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())InstallUtil.exe" -Destination "$Env:windir\System32\Tasks\notepad.exe"
+
+$TestArgs = @{
+ OutputAssemblyDirectory = $InstallerAssemblyDir
+ OutputAssemblyFileName = $InstallerAssemblyFileName
+ InvocationMethod = 'Executable'
+ CommandLine = $CommandLine
+ InstallUtilPath = "$Env:windir\System32\Tasks\notepad.exe"
+}
+
+$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
+
+if ($ActualOutput -ne $ExpectedOutput) {
+ throw @"
+Evasive Installutil invocation test failure. Installer assembly execution output did not match the expected output.
+Expected: $ExpectedOutput
+Actual: $ActualOutput
+"@
+}
+```
+
+#### Cleanup Commands:
+```
+Remove-Item -Path "$Env:windir\System32\Tasks\readme.txt"
+Remove-Item -Path "$Env:windir\System32\Tasks\readme.InstallLog"
+Remove-Item -Path "$Env:windir\System32\Tasks\readme.InstallState"
+Remove-Item -Path "$Env:windir\System32\Tasks\notepad.exe"
```
-#### Dependencies: Run with `powershell`!
-##### Description: Source code must exist on disk at specified location (#{source})
-##### Check Prereq Commands:
-```
-if (Test-Path #{source}) {exit 0} else {exit 1}
-```
-##### Get Prereq Commands:
-```
-New-Item -Type Directory (split-path #{source}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/T1118.cs" -OutFile "#{source}"
-```
-
diff --git a/atomics/index.md b/atomics/index.md
index f7f715d7..0f1f53c6 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -292,8 +292,14 @@
- [T1130 Install Root Certificate](./T1130/T1130.md)
- Atomic Test #1: Install root CA on CentOS/RHEL [linux]
- [T1118 InstallUtil](./T1118/T1118.md)
- - Atomic Test #1: InstallUtil uninstall method call [windows]
- - Atomic Test #2: InstallUtil GetHelp method call [windows]
+ - Atomic Test #1: CheckIfInstallable method call [windows]
+ - Atomic Test #2: InstallHelper method call [windows]
+ - Atomic Test #3: InstallUtil class constructor method call [windows]
+ - Atomic Test #4: InstallUtil Install method call [windows]
+ - Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows]
+ - Atomic Test #6: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant [windows]
+ - Atomic Test #7: InstallUtil HelpText method call [windows]
+ - Atomic Test #8: InstallUtil evasive invocation [windows]
- T1149 LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1152 Launchctl](./T1152/T1152.md)
- Atomic Test #1: Launchctl [macos]
@@ -727,8 +733,14 @@
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1118 InstallUtil](./T1118/T1118.md)
- - Atomic Test #1: InstallUtil uninstall method call [windows]
- - Atomic Test #2: InstallUtil GetHelp method call [windows]
+ - Atomic Test #1: CheckIfInstallable method call [windows]
+ - Atomic Test #2: InstallHelper method call [windows]
+ - Atomic Test #3: InstallUtil class constructor method call [windows]
+ - Atomic Test #4: InstallUtil Install method call [windows]
+ - Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows]
+ - Atomic Test #6: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant [windows]
+ - Atomic Test #7: InstallUtil HelpText method call [windows]
+ - Atomic Test #8: InstallUtil evasive invocation [windows]
- T1177 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1152 Launchctl](./T1152/T1152.md)
- Atomic Test #1: Launchctl [macos]
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 28c089d6..5289f095 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -9120,68 +9120,480 @@ defense-evasion:
- Digital Certificate Validation
identifier: T1118
atomic_tests:
- - name: InstallUtil uninstall method call
+ - name: CheckIfInstallable method call
+ description: 'Executes the CheckIfInstallable class constructor runner instead
+ of executing InstallUtil.
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ test_harness:
+ description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
+ type: Path
+ default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+ assembly_dir:
+ description: directory to drop the compiled installer assembly
+ type: Path
+ default: "$Env:TEMP\\"
+ assembly_filename:
+ description: filename of the compiled installer assembly
+ type: String
+ default: T1118.dll
+ invocation_method:
+ description: the type of InstallUtil invocation variant - Executable, InstallHelper,
+ or CheckIfInstallable
+ type: String
+ default: CheckIfInstallable
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+ . #{test_harness}
+
+ $InstallerAssemblyDir = "#{assembly_dir}"
+ $InstallerAssemblyFileName = "#{assembly_filename}"
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ $ExpectedOutput = 'Constructor_'
+
+ $TestArgs = @{
+ OutputAssemblyDirectory = $InstallerAssemblyDir
+ OutputAssemblyFileName = $InstallerAssemblyFileName
+ InvocationMethod = '#{invocation_method}'
+ }
+
+ $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
+
+ if ($ActualOutput -ne $ExpectedOutput) {
+ throw @"
+ CheckIfInstallable method execution test failure. Installer assembly execution output did not match the expected output.
+ Expected: $ExpectedOutput
+ Actual: $ActualOutput
+ "@
+ }
+ cleanup_command: |
+ $InstallerAssemblyDir = "#{assembly_dir}"
+ $InstallerAssemblyFileName = "#{assembly_filename}"
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ Remove-Item -Path $InstallerAssemblyFullPath
+ - name: InstallHelper method call
+ description: 'Executes the InstallHelper class constructor runner instead of
+ executing InstallUtil.
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ test_harness:
+ description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
+ type: Path
+ default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+ assembly_dir:
+ description: directory to drop the compiled installer assembly
+ type: Path
+ default: "$Env:TEMP\\"
+ assembly_filename:
+ description: filename of the compiled installer assembly
+ type: String
+ default: T1118.dll
+ invocation_method:
+ description: the type of InstallUtil invocation variant - Executable, InstallHelper,
+ or CheckIfInstallable
+ type: String
+ default: InstallHelper
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+ . #{test_harness}
+
+ $InstallerAssemblyDir = "#{assembly_dir}"
+ $InstallerAssemblyFileName = "#{assembly_filename}"
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ $CommandLine = "/logfile= /logtoconsole=false `"$InstallerAssemblyFullPath`""
+ $ExpectedOutput = 'Constructor_'
+
+ $TestArgs = @{
+ OutputAssemblyDirectory = $InstallerAssemblyDir
+ OutputAssemblyFileName = $InstallerAssemblyFileName
+ InvocationMethod = '#{invocation_method}'
+ CommandLine = $CommandLine
+ }
+
+ $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
+
+ if ($ActualOutput -ne $ExpectedOutput) {
+ throw @"
+ InstallHelper method execution test failure. Installer assembly execution output did not match the expected output.
+ Expected: $ExpectedOutput
+ Actual: $ActualOutput
+ "@
+ }
+ cleanup_command: |
+ $InstallerAssemblyDir = "#{assembly_dir}"
+ $InstallerAssemblyFileName = "#{assembly_filename}"
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ Remove-Item -Path $InstallerAssemblyFullPath
+ - name: InstallUtil class constructor method call
+ description: 'Executes the installer assembly class constructor.
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ test_harness:
+ description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
+ type: Path
+ default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+ assembly_dir:
+ description: directory to drop the compiled installer assembly
+ type: Path
+ default: "$Env:TEMP\\"
+ assembly_filename:
+ description: filename of the compiled installer assembly
+ type: String
+ default: T1118.dll
+ invocation_method:
+ description: the type of InstallUtil invocation variant - Executable, InstallHelper,
+ or CheckIfInstallable
+ type: String
+ default: Executable
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+ . #{test_harness}
+
+ $InstallerAssemblyDir = "#{assembly_dir}"
+ $InstallerAssemblyFileName = "#{assembly_filename}"
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ $CommandLine = "/logfile= /logtoconsole=false `"$InstallerAssemblyFullPath`""
+ $ExpectedOutput = 'Constructor_'
+
+ $TestArgs = @{
+ OutputAssemblyDirectory = $InstallerAssemblyDir
+ OutputAssemblyFileName = $InstallerAssemblyFileName
+ InvocationMethod = '#{invocation_method}'
+ CommandLine = $CommandLine
+ }
+
+ $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
+
+ if ($ActualOutput -ne $ExpectedOutput) {
+ throw @"
+ InstallUtil class constructor execution test failure. Installer assembly execution output did not match the expected output.
+ Expected: $ExpectedOutput
+ Actual: $ActualOutput
+ "@
+ }
+ cleanup_command: |
+ $InstallerAssemblyDir = "#{assembly_dir}"
+ $InstallerAssemblyFileName = "#{assembly_filename}"
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ Remove-Item -Path $InstallerAssemblyFullPath
+ - name: InstallUtil Install method call
+ description: 'Executes the Install Method
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ test_harness:
+ description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
+ type: Path
+ default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+ assembly_dir:
+ description: directory to drop the compiled installer assembly
+ type: Path
+ default: "$Env:TEMP\\"
+ assembly_filename:
+ description: filename of the compiled installer assembly
+ type: String
+ default: T1118.dll
+ invocation_method:
+ description: the type of InstallUtil invocation variant - Executable, InstallHelper,
+ or CheckIfInstallable
+ type: String
+ default: Executable
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+ . #{test_harness}
+
+ $InstallerAssemblyDir = "#{assembly_dir}"
+ $InstallerAssemblyFileName = "#{assembly_filename}"
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ $CommandLine = "/logfile= /logtoconsole=false /installtype=notransaction /action=install `"$InstallerAssemblyFullPath`""
+ $ExpectedOutput = 'Constructor_Install_'
+
+ $TestArgs = @{
+ OutputAssemblyDirectory = $InstallerAssemblyDir
+ OutputAssemblyFileName = $InstallerAssemblyFileName
+ InvocationMethod = '#{invocation_method}'
+ CommandLine = $CommandLine
+ }
+
+ $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
+
+ if ($ActualOutput -ne $ExpectedOutput) {
+ throw @"
+ InstallUtil Install method execution test failure. Installer assembly execution output did not match the expected output.
+ Expected: $ExpectedOutput
+ Actual: $ActualOutput
+ "@
+ }
+ cleanup_command: |
+ $InstallerAssemblyDir = "#{assembly_dir}"
+ $InstallerAssemblyFileName = "#{assembly_filename}"
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ Remove-Item -Path $InstallerAssemblyFullPath
+ - name: InstallUtil Uninstall method call - /U variant
description: 'Executes the Uninstall Method
'
supported_platforms:
- windows
input_arguments:
- output_file:
- description: location of the payload
+ test_harness:
+ description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
type: Path
- default: "%tmp%\\T1118.dll"
- source:
- description: location of the source code to compile
+ default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+ assembly_dir:
+ description: directory to drop the compiled installer assembly
type: Path
- default: PathToAtomicsFolder\T1118\src\T1118.cs
- dependency_executor_name: powershell
- dependencies:
- - description: Source code must exist on disk at specified location (#{source})
- prereq_command: 'if (Test-Path #{source}) {exit 0} else {exit 1}'
- get_prereq_command: |-
- New-Item -Type Directory (split-path #{source}) -ErrorAction ignore | Out-Null
- Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/T1118.cs" -OutFile "#{source}"
+ default: "$Env:TEMP\\"
+ assembly_filename:
+ description: filename of the compiled installer assembly
+ type: String
+ default: T1118.dll
+ invocation_method:
+ description: the type of InstallUtil invocation variant - Executable, InstallHelper,
+ or CheckIfInstallable
+ type: String
+ default: Executable
executor:
- name: command_prompt
+ name: powershell
elevation_required: false
command: |
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{output_file} #{source}
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{output_file}
- cleanup_command: 'del #{output_file} >nul 2>&1
+ # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+ . #{test_harness}
-'
- - name: InstallUtil GetHelp method call
+ $InstallerAssemblyDir = "#{assembly_dir}"
+ $InstallerAssemblyFileName = "#{assembly_filename}"
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ $CommandLine = "/logfile= /logtoconsole=false /U `"$InstallerAssemblyFullPath`""
+ $ExpectedOutput = 'Constructor_Uninstall_'
+
+ $TestArgs = @{
+ OutputAssemblyDirectory = $InstallerAssemblyDir
+ OutputAssemblyFileName = $InstallerAssemblyFileName
+ InvocationMethod = '#{invocation_method}'
+ CommandLine = $CommandLine
+ }
+
+ $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
+
+ if ($ActualOutput -ne $ExpectedOutput) {
+ throw @"
+ InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.
+ Expected: $ExpectedOutput
+ Actual: $ActualOutput
+ "@
+ }
+ cleanup_command: |
+ $InstallerAssemblyDir = "#{assembly_dir}"
+ $InstallerAssemblyFileName = "#{assembly_filename}"
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ Remove-Item -Path $InstallerAssemblyFullPath
+ - name: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall'
+ variant
description: 'Executes the Uninstall Method
'
supported_platforms:
- windows
input_arguments:
- output_file:
- description: location of the payload
+ test_harness:
+ description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
type: Path
- default: "%tmp%\\T1118.dll"
- source:
- description: location of the source code to compile
+ default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+ assembly_dir:
+ description: directory to drop the compiled installer assembly
type: Path
- default: PathToAtomicsFolder\T1118\src\T1118.cs
- dependency_executor_name: powershell
- dependencies:
- - description: Source code must exist on disk at specified location (#{source})
- prereq_command: 'if (Test-Path #{source}) {exit 0} else {exit 1}'
- get_prereq_command: |-
- New-Item -Type Directory (split-path #{source}) -ErrorAction ignore | Out-Null
- Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/T1118.cs" -OutFile "#{source}"
+ default: "$Env:TEMP\\"
+ assembly_filename:
+ description: filename of the compiled installer assembly
+ type: String
+ default: T1118.dll
+ invocation_method:
+ description: the type of InstallUtil invocation variant - Executable, InstallHelper,
+ or CheckIfInstallable
+ type: String
+ default: Executable
executor:
- name: command_prompt
+ name: powershell
elevation_required: false
command: |
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{output_file} #{source}
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? #{output_file}
- cleanup_command: 'del #{output_file} >nul 2>&1
+ # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+ . #{test_harness}
+
+ $InstallerAssemblyDir = "#{assembly_dir}"
+ $InstallerAssemblyFileName = "#{assembly_filename}"
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ $CommandLine = "/logfile= /logtoconsole=false /installtype=notransaction /action=uninstall `"$InstallerAssemblyFullPath`""
+ $ExpectedOutput = 'Constructor_Uninstall_'
+
+ $TestArgs = @{
+ OutputAssemblyDirectory = $InstallerAssemblyDir
+ OutputAssemblyFileName = $InstallerAssemblyFileName
+ InvocationMethod = '#{invocation_method}'
+ CommandLine = $CommandLine
+ }
+
+ $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
+
+ if ($ActualOutput -ne $ExpectedOutput) {
+ throw @"
+ InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.
+ Expected: $ExpectedOutput
+ Actual: $ActualOutput
+ "@
+ }
+ cleanup_command: |
+ $InstallerAssemblyDir = "#{assembly_dir}"
+ $InstallerAssemblyFileName = "#{assembly_filename}"
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ Remove-Item -Path $InstallerAssemblyFullPath
+ - name: InstallUtil HelpText method call
+ description: 'Executes the Uninstall Method
'
+ supported_platforms:
+ - windows
+ input_arguments:
+ test_harness:
+ description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
+ type: Path
+ default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+ assembly_dir:
+ description: directory to drop the compiled installer assembly
+ type: Path
+ default: "$Env:TEMP\\"
+ assembly_filename:
+ description: filename of the compiled installer assembly
+ type: String
+ default: T1118.dll
+ invocation_method:
+ description: the type of InstallUtil invocation variant - Executable, InstallHelper,
+ or CheckIfInstallable
+ type: String
+ default: Executable
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+ . #{test_harness}
+
+ $InstallerAssemblyDir = "#{assembly_dir}"
+ $InstallerAssemblyFileName = "#{assembly_filename}"
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ $CommandLine = "/? `"$InstallerAssemblyFullPath`""
+ $ExpectedOutput = 'Constructor_HelpText_'
+
+ $TestArgs = @{
+ OutputAssemblyDirectory = $InstallerAssemblyDir
+ OutputAssemblyFileName = $InstallerAssemblyFileName
+ InvocationMethod = '#{invocation_method}'
+ CommandLine = $CommandLine
+ }
+
+ $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
+
+ if ($ActualOutput -ne $ExpectedOutput) {
+ throw @"
+ InstallUtil HelpText property execution test failure. Installer assembly execution output did not match the expected output.
+ Expected: $ExpectedOutput
+ Actual: $ActualOutput
+ "@
+ }
+ cleanup_command: |
+ $InstallerAssemblyDir = "#{assembly_dir}"
+ $InstallerAssemblyFileName = "#{assembly_filename}"
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ Remove-Item -Path $InstallerAssemblyFullPath
+ - name: InstallUtil evasive invocation
+ description: 'Executes an InstallUtil assembly by renaming InstallUtil.exe and
+ using a nonstandard extension for the assembly.
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ test_harness:
+ description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
+ type: Path
+ default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+ . #{test_harness}
+
+ $InstallerAssemblyDir = "$Env:windir\System32\Tasks"
+ $InstallerAssemblyFileName = 'readme.txt'
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ $CommandLine = "readme.txt"
+ $ExpectedOutput = 'Constructor_'
+
+ # Explicitly set the directory so that a relative path to readme.txt can be supplied.
+ Set-Location "$Env:windir\System32\Tasks"
+
+ Copy-Item -Path "$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())InstallUtil.exe" -Destination "$Env:windir\System32\Tasks\notepad.exe"
+
+ $TestArgs = @{
+ OutputAssemblyDirectory = $InstallerAssemblyDir
+ OutputAssemblyFileName = $InstallerAssemblyFileName
+ InvocationMethod = 'Executable'
+ CommandLine = $CommandLine
+ InstallUtilPath = "$Env:windir\System32\Tasks\notepad.exe"
+ }
+
+ $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
+
+ if ($ActualOutput -ne $ExpectedOutput) {
+ throw @"
+ Evasive Installutil invocation test failure. Installer assembly execution output did not match the expected output.
+ Expected: $ExpectedOutput
+ Actual: $ActualOutput
+ "@
+ }
+ cleanup_command: |-
+ Remove-Item -Path "$Env:windir\System32\Tasks\readme.txt"
+ Remove-Item -Path "$Env:windir\System32\Tasks\readme.InstallLog"
+ Remove-Item -Path "$Env:windir\System32\Tasks\readme.InstallState"
+ Remove-Item -Path "$Env:windir\System32\Tasks\notepad.exe"
T1152:
technique:
x_mitre_permissions_required:
@@ -21813,68 +22225,480 @@ execution:
- Digital Certificate Validation
identifier: T1118
atomic_tests:
- - name: InstallUtil uninstall method call
+ - name: CheckIfInstallable method call
+ description: 'Executes the CheckIfInstallable class constructor runner instead
+ of executing InstallUtil.
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ test_harness:
+ description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
+ type: Path
+ default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+ assembly_dir:
+ description: directory to drop the compiled installer assembly
+ type: Path
+ default: "$Env:TEMP\\"
+ assembly_filename:
+ description: filename of the compiled installer assembly
+ type: String
+ default: T1118.dll
+ invocation_method:
+ description: the type of InstallUtil invocation variant - Executable, InstallHelper,
+ or CheckIfInstallable
+ type: String
+ default: CheckIfInstallable
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+ . #{test_harness}
+
+ $InstallerAssemblyDir = "#{assembly_dir}"
+ $InstallerAssemblyFileName = "#{assembly_filename}"
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ $ExpectedOutput = 'Constructor_'
+
+ $TestArgs = @{
+ OutputAssemblyDirectory = $InstallerAssemblyDir
+ OutputAssemblyFileName = $InstallerAssemblyFileName
+ InvocationMethod = '#{invocation_method}'
+ }
+
+ $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
+
+ if ($ActualOutput -ne $ExpectedOutput) {
+ throw @"
+ CheckIfInstallable method execution test failure. Installer assembly execution output did not match the expected output.
+ Expected: $ExpectedOutput
+ Actual: $ActualOutput
+ "@
+ }
+ cleanup_command: |
+ $InstallerAssemblyDir = "#{assembly_dir}"
+ $InstallerAssemblyFileName = "#{assembly_filename}"
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ Remove-Item -Path $InstallerAssemblyFullPath
+ - name: InstallHelper method call
+ description: 'Executes the InstallHelper class constructor runner instead of
+ executing InstallUtil.
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ test_harness:
+ description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
+ type: Path
+ default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+ assembly_dir:
+ description: directory to drop the compiled installer assembly
+ type: Path
+ default: "$Env:TEMP\\"
+ assembly_filename:
+ description: filename of the compiled installer assembly
+ type: String
+ default: T1118.dll
+ invocation_method:
+ description: the type of InstallUtil invocation variant - Executable, InstallHelper,
+ or CheckIfInstallable
+ type: String
+ default: InstallHelper
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+ . #{test_harness}
+
+ $InstallerAssemblyDir = "#{assembly_dir}"
+ $InstallerAssemblyFileName = "#{assembly_filename}"
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ $CommandLine = "/logfile= /logtoconsole=false `"$InstallerAssemblyFullPath`""
+ $ExpectedOutput = 'Constructor_'
+
+ $TestArgs = @{
+ OutputAssemblyDirectory = $InstallerAssemblyDir
+ OutputAssemblyFileName = $InstallerAssemblyFileName
+ InvocationMethod = '#{invocation_method}'
+ CommandLine = $CommandLine
+ }
+
+ $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
+
+ if ($ActualOutput -ne $ExpectedOutput) {
+ throw @"
+ InstallHelper method execution test failure. Installer assembly execution output did not match the expected output.
+ Expected: $ExpectedOutput
+ Actual: $ActualOutput
+ "@
+ }
+ cleanup_command: |
+ $InstallerAssemblyDir = "#{assembly_dir}"
+ $InstallerAssemblyFileName = "#{assembly_filename}"
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ Remove-Item -Path $InstallerAssemblyFullPath
+ - name: InstallUtil class constructor method call
+ description: 'Executes the installer assembly class constructor.
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ test_harness:
+ description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
+ type: Path
+ default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+ assembly_dir:
+ description: directory to drop the compiled installer assembly
+ type: Path
+ default: "$Env:TEMP\\"
+ assembly_filename:
+ description: filename of the compiled installer assembly
+ type: String
+ default: T1118.dll
+ invocation_method:
+ description: the type of InstallUtil invocation variant - Executable, InstallHelper,
+ or CheckIfInstallable
+ type: String
+ default: Executable
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+ . #{test_harness}
+
+ $InstallerAssemblyDir = "#{assembly_dir}"
+ $InstallerAssemblyFileName = "#{assembly_filename}"
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ $CommandLine = "/logfile= /logtoconsole=false `"$InstallerAssemblyFullPath`""
+ $ExpectedOutput = 'Constructor_'
+
+ $TestArgs = @{
+ OutputAssemblyDirectory = $InstallerAssemblyDir
+ OutputAssemblyFileName = $InstallerAssemblyFileName
+ InvocationMethod = '#{invocation_method}'
+ CommandLine = $CommandLine
+ }
+
+ $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
+
+ if ($ActualOutput -ne $ExpectedOutput) {
+ throw @"
+ InstallUtil class constructor execution test failure. Installer assembly execution output did not match the expected output.
+ Expected: $ExpectedOutput
+ Actual: $ActualOutput
+ "@
+ }
+ cleanup_command: |
+ $InstallerAssemblyDir = "#{assembly_dir}"
+ $InstallerAssemblyFileName = "#{assembly_filename}"
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ Remove-Item -Path $InstallerAssemblyFullPath
+ - name: InstallUtil Install method call
+ description: 'Executes the Install Method
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ test_harness:
+ description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
+ type: Path
+ default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+ assembly_dir:
+ description: directory to drop the compiled installer assembly
+ type: Path
+ default: "$Env:TEMP\\"
+ assembly_filename:
+ description: filename of the compiled installer assembly
+ type: String
+ default: T1118.dll
+ invocation_method:
+ description: the type of InstallUtil invocation variant - Executable, InstallHelper,
+ or CheckIfInstallable
+ type: String
+ default: Executable
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+ . #{test_harness}
+
+ $InstallerAssemblyDir = "#{assembly_dir}"
+ $InstallerAssemblyFileName = "#{assembly_filename}"
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ $CommandLine = "/logfile= /logtoconsole=false /installtype=notransaction /action=install `"$InstallerAssemblyFullPath`""
+ $ExpectedOutput = 'Constructor_Install_'
+
+ $TestArgs = @{
+ OutputAssemblyDirectory = $InstallerAssemblyDir
+ OutputAssemblyFileName = $InstallerAssemblyFileName
+ InvocationMethod = '#{invocation_method}'
+ CommandLine = $CommandLine
+ }
+
+ $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
+
+ if ($ActualOutput -ne $ExpectedOutput) {
+ throw @"
+ InstallUtil Install method execution test failure. Installer assembly execution output did not match the expected output.
+ Expected: $ExpectedOutput
+ Actual: $ActualOutput
+ "@
+ }
+ cleanup_command: |
+ $InstallerAssemblyDir = "#{assembly_dir}"
+ $InstallerAssemblyFileName = "#{assembly_filename}"
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ Remove-Item -Path $InstallerAssemblyFullPath
+ - name: InstallUtil Uninstall method call - /U variant
description: 'Executes the Uninstall Method
'
supported_platforms:
- windows
input_arguments:
- output_file:
- description: location of the payload
+ test_harness:
+ description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
type: Path
- default: "%tmp%\\T1118.dll"
- source:
- description: location of the source code to compile
+ default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+ assembly_dir:
+ description: directory to drop the compiled installer assembly
type: Path
- default: PathToAtomicsFolder\T1118\src\T1118.cs
- dependency_executor_name: powershell
- dependencies:
- - description: Source code must exist on disk at specified location (#{source})
- prereq_command: 'if (Test-Path #{source}) {exit 0} else {exit 1}'
- get_prereq_command: |-
- New-Item -Type Directory (split-path #{source}) -ErrorAction ignore | Out-Null
- Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/T1118.cs" -OutFile "#{source}"
+ default: "$Env:TEMP\\"
+ assembly_filename:
+ description: filename of the compiled installer assembly
+ type: String
+ default: T1118.dll
+ invocation_method:
+ description: the type of InstallUtil invocation variant - Executable, InstallHelper,
+ or CheckIfInstallable
+ type: String
+ default: Executable
executor:
- name: command_prompt
+ name: powershell
elevation_required: false
command: |
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{output_file} #{source}
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{output_file}
- cleanup_command: 'del #{output_file} >nul 2>&1
+ # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+ . #{test_harness}
-'
- - name: InstallUtil GetHelp method call
+ $InstallerAssemblyDir = "#{assembly_dir}"
+ $InstallerAssemblyFileName = "#{assembly_filename}"
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ $CommandLine = "/logfile= /logtoconsole=false /U `"$InstallerAssemblyFullPath`""
+ $ExpectedOutput = 'Constructor_Uninstall_'
+
+ $TestArgs = @{
+ OutputAssemblyDirectory = $InstallerAssemblyDir
+ OutputAssemblyFileName = $InstallerAssemblyFileName
+ InvocationMethod = '#{invocation_method}'
+ CommandLine = $CommandLine
+ }
+
+ $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
+
+ if ($ActualOutput -ne $ExpectedOutput) {
+ throw @"
+ InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.
+ Expected: $ExpectedOutput
+ Actual: $ActualOutput
+ "@
+ }
+ cleanup_command: |
+ $InstallerAssemblyDir = "#{assembly_dir}"
+ $InstallerAssemblyFileName = "#{assembly_filename}"
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ Remove-Item -Path $InstallerAssemblyFullPath
+ - name: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall'
+ variant
description: 'Executes the Uninstall Method
'
supported_platforms:
- windows
input_arguments:
- output_file:
- description: location of the payload
+ test_harness:
+ description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
type: Path
- default: "%tmp%\\T1118.dll"
- source:
- description: location of the source code to compile
+ default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+ assembly_dir:
+ description: directory to drop the compiled installer assembly
type: Path
- default: PathToAtomicsFolder\T1118\src\T1118.cs
- dependency_executor_name: powershell
- dependencies:
- - description: Source code must exist on disk at specified location (#{source})
- prereq_command: 'if (Test-Path #{source}) {exit 0} else {exit 1}'
- get_prereq_command: |-
- New-Item -Type Directory (split-path #{source}) -ErrorAction ignore | Out-Null
- Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/T1118.cs" -OutFile "#{source}"
+ default: "$Env:TEMP\\"
+ assembly_filename:
+ description: filename of the compiled installer assembly
+ type: String
+ default: T1118.dll
+ invocation_method:
+ description: the type of InstallUtil invocation variant - Executable, InstallHelper,
+ or CheckIfInstallable
+ type: String
+ default: Executable
executor:
- name: command_prompt
+ name: powershell
elevation_required: false
command: |
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{output_file} #{source}
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? #{output_file}
- cleanup_command: 'del #{output_file} >nul 2>&1
+ # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+ . #{test_harness}
+
+ $InstallerAssemblyDir = "#{assembly_dir}"
+ $InstallerAssemblyFileName = "#{assembly_filename}"
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ $CommandLine = "/logfile= /logtoconsole=false /installtype=notransaction /action=uninstall `"$InstallerAssemblyFullPath`""
+ $ExpectedOutput = 'Constructor_Uninstall_'
+
+ $TestArgs = @{
+ OutputAssemblyDirectory = $InstallerAssemblyDir
+ OutputAssemblyFileName = $InstallerAssemblyFileName
+ InvocationMethod = '#{invocation_method}'
+ CommandLine = $CommandLine
+ }
+
+ $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
+
+ if ($ActualOutput -ne $ExpectedOutput) {
+ throw @"
+ InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.
+ Expected: $ExpectedOutput
+ Actual: $ActualOutput
+ "@
+ }
+ cleanup_command: |
+ $InstallerAssemblyDir = "#{assembly_dir}"
+ $InstallerAssemblyFileName = "#{assembly_filename}"
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ Remove-Item -Path $InstallerAssemblyFullPath
+ - name: InstallUtil HelpText method call
+ description: 'Executes the Uninstall Method
'
+ supported_platforms:
+ - windows
+ input_arguments:
+ test_harness:
+ description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
+ type: Path
+ default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+ assembly_dir:
+ description: directory to drop the compiled installer assembly
+ type: Path
+ default: "$Env:TEMP\\"
+ assembly_filename:
+ description: filename of the compiled installer assembly
+ type: String
+ default: T1118.dll
+ invocation_method:
+ description: the type of InstallUtil invocation variant - Executable, InstallHelper,
+ or CheckIfInstallable
+ type: String
+ default: Executable
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+ . #{test_harness}
+
+ $InstallerAssemblyDir = "#{assembly_dir}"
+ $InstallerAssemblyFileName = "#{assembly_filename}"
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ $CommandLine = "/? `"$InstallerAssemblyFullPath`""
+ $ExpectedOutput = 'Constructor_HelpText_'
+
+ $TestArgs = @{
+ OutputAssemblyDirectory = $InstallerAssemblyDir
+ OutputAssemblyFileName = $InstallerAssemblyFileName
+ InvocationMethod = '#{invocation_method}'
+ CommandLine = $CommandLine
+ }
+
+ $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
+
+ if ($ActualOutput -ne $ExpectedOutput) {
+ throw @"
+ InstallUtil HelpText property execution test failure. Installer assembly execution output did not match the expected output.
+ Expected: $ExpectedOutput
+ Actual: $ActualOutput
+ "@
+ }
+ cleanup_command: |
+ $InstallerAssemblyDir = "#{assembly_dir}"
+ $InstallerAssemblyFileName = "#{assembly_filename}"
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ Remove-Item -Path $InstallerAssemblyFullPath
+ - name: InstallUtil evasive invocation
+ description: 'Executes an InstallUtil assembly by renaming InstallUtil.exe and
+ using a nonstandard extension for the assembly.
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ test_harness:
+ description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
+ type: Path
+ default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+ . #{test_harness}
+
+ $InstallerAssemblyDir = "$Env:windir\System32\Tasks"
+ $InstallerAssemblyFileName = 'readme.txt'
+ $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+ $CommandLine = "readme.txt"
+ $ExpectedOutput = 'Constructor_'
+
+ # Explicitly set the directory so that a relative path to readme.txt can be supplied.
+ Set-Location "$Env:windir\System32\Tasks"
+
+ Copy-Item -Path "$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())InstallUtil.exe" -Destination "$Env:windir\System32\Tasks\notepad.exe"
+
+ $TestArgs = @{
+ OutputAssemblyDirectory = $InstallerAssemblyDir
+ OutputAssemblyFileName = $InstallerAssemblyFileName
+ InvocationMethod = 'Executable'
+ CommandLine = $CommandLine
+ InstallUtilPath = "$Env:windir\System32\Tasks\notepad.exe"
+ }
+
+ $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
+
+ if ($ActualOutput -ne $ExpectedOutput) {
+ throw @"
+ Evasive Installutil invocation test failure. Installer assembly execution output did not match the expected output.
+ Expected: $ExpectedOutput
+ Actual: $ActualOutput
+ "@
+ }
+ cleanup_command: |-
+ Remove-Item -Path "$Env:windir\System32\Tasks\readme.txt"
+ Remove-Item -Path "$Env:windir\System32\Tasks\readme.InstallLog"
+ Remove-Item -Path "$Env:windir\System32\Tasks\readme.InstallState"
+ Remove-Item -Path "$Env:windir\System32\Tasks\notepad.exe"
T1152:
technique:
x_mitre_permissions_required:
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 217b401e..21cd0870 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -98,8 +98,14 @@
- Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
- [T1130 Install Root Certificate](./T1130/T1130.md)
- [T1118 InstallUtil](./T1118/T1118.md)
- - Atomic Test #1: InstallUtil uninstall method call [windows]
- - Atomic Test #2: InstallUtil GetHelp method call [windows]
+ - Atomic Test #1: CheckIfInstallable method call [windows]
+ - Atomic Test #2: InstallHelper method call [windows]
+ - Atomic Test #3: InstallUtil class constructor method call [windows]
+ - Atomic Test #4: InstallUtil Install method call [windows]
+ - Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows]
+ - Atomic Test #6: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant [windows]
+ - Atomic Test #7: InstallUtil HelpText method call [windows]
+ - Atomic Test #8: InstallUtil evasive invocation [windows]
- [T1036 Masquerading](./T1036/T1036.md)
- Atomic Test #1: Masquerading as Windows LSASS process [windows]
- Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows]
@@ -611,8 +617,14 @@
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1118 InstallUtil](./T1118/T1118.md)
- - Atomic Test #1: InstallUtil uninstall method call [windows]
- - Atomic Test #2: InstallUtil GetHelp method call [windows]
+ - Atomic Test #1: CheckIfInstallable method call [windows]
+ - Atomic Test #2: InstallHelper method call [windows]
+ - Atomic Test #3: InstallUtil class constructor method call [windows]
+ - Atomic Test #4: InstallUtil Install method call [windows]
+ - Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows]
+ - Atomic Test #6: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant [windows]
+ - Atomic Test #7: InstallUtil HelpText method call [windows]
+ - Atomic Test #8: InstallUtil evasive invocation [windows]
- T1177 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1170 Mshta](./T1170/T1170.md)
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]