From 8cb0e3e283c6e795c5ea93d26c860069db0bd3bb Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Thu, 12 Mar 2020 13:33:53 +0000
Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/T1118/T1118.md   | 494 ++++++++++++++++++--
 atomics/index.md         |  20 +-
 atomics/index.yaml       | 972 ++++++++++++++++++++++++++++++++++++---
 atomics/windows-index.md |  20 +-
 4 files changed, 1384 insertions(+), 122 deletions(-)

diff --git a/atomics/T1118/T1118.md b/atomics/T1118/T1118.md
index 544ffdf3..7d539d8c 100644
--- a/atomics/T1118/T1118.md
+++ b/atomics/T1118/T1118.md
@@ -6,14 +6,268 @@ Adversaries may use InstallUtil to proxy execution of code through a trusted Win
 
 ## Atomic Tests
 
-- [Atomic Test #1 - InstallUtil uninstall method call](#atomic-test-1---installutil-uninstall-method-call)
+- [Atomic Test #1 - CheckIfInstallable method call](#atomic-test-1---checkifinstallable-method-call)
 
-- [Atomic Test #2 - InstallUtil GetHelp method call](#atomic-test-2---installutil-gethelp-method-call)
+- [Atomic Test #2 - InstallHelper method call](#atomic-test-2---installhelper-method-call)
+
+- [Atomic Test #3 - InstallUtil class constructor method call](#atomic-test-3---installutil-class-constructor-method-call)
+
+- [Atomic Test #4 - InstallUtil Install method call](#atomic-test-4---installutil-install-method-call)
+
+- [Atomic Test #5 - InstallUtil Uninstall method call - /U variant](#atomic-test-5---installutil-uninstall-method-call---u-variant)
+
+- [Atomic Test #6 - InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant](#atomic-test-6---installutil-uninstall-method-call---installtypenotransaction-actionuninstall-variant)
+
+- [Atomic Test #7 - InstallUtil HelpText method call](#atomic-test-7---installutil-helptext-method-call)
+
+- [Atomic Test #8 - InstallUtil evasive invocation](#atomic-test-8---installutil-evasive-invocation)
 
 
 <br/>
 
-## Atomic Test #1 - InstallUtil uninstall method call
+## Atomic Test #1 - CheckIfInstallable method call
+Executes the CheckIfInstallable class constructor runner instead of executing InstallUtil.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1|
+| assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP\|
+| assembly_filename | filename of the compiled installer assembly | String | T1118.dll|
+| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | CheckIfInstallable|
+
+
+#### Attack Commands: Run with `powershell`! 
+```
+# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+. #{test_harness}
+
+$InstallerAssemblyDir = "#{assembly_dir}"
+$InstallerAssemblyFileName = "#{assembly_filename}"
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+$ExpectedOutput = 'Constructor_'
+
+$TestArgs = @{
+    OutputAssemblyDirectory = $InstallerAssemblyDir
+    OutputAssemblyFileName = $InstallerAssemblyFileName
+    InvocationMethod = '#{invocation_method}'
+}
+
+$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
+
+if ($ActualOutput -ne $ExpectedOutput) {
+    throw @"
+CheckIfInstallable method execution test failure. Installer assembly execution output did not match the expected output.
+Expected: $ExpectedOutput
+Actual: $ActualOutput
+"@
+}
+```
+
+#### Cleanup Commands:
+```
+$InstallerAssemblyDir = "#{assembly_dir}"
+$InstallerAssemblyFileName = "#{assembly_filename}"
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+Remove-Item -Path $InstallerAssemblyFullPath
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - InstallHelper method call
+Executes the InstallHelper class constructor runner instead of executing InstallUtil.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1|
+| assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP\|
+| assembly_filename | filename of the compiled installer assembly | String | T1118.dll|
+| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | InstallHelper|
+
+
+#### Attack Commands: Run with `powershell`! 
+```
+# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+. #{test_harness}
+
+$InstallerAssemblyDir = "#{assembly_dir}"
+$InstallerAssemblyFileName = "#{assembly_filename}"
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+$CommandLine = "/logfile= /logtoconsole=false `"$InstallerAssemblyFullPath`""
+$ExpectedOutput = 'Constructor_'
+
+$TestArgs = @{
+    OutputAssemblyDirectory = $InstallerAssemblyDir
+    OutputAssemblyFileName = $InstallerAssemblyFileName
+    InvocationMethod = '#{invocation_method}'
+    CommandLine = $CommandLine
+}
+
+$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
+
+if ($ActualOutput -ne $ExpectedOutput) {
+    throw @"
+InstallHelper method execution test failure. Installer assembly execution output did not match the expected output.
+Expected: $ExpectedOutput
+Actual: $ActualOutput
+"@
+}
+```
+
+#### Cleanup Commands:
+```
+$InstallerAssemblyDir = "#{assembly_dir}"
+$InstallerAssemblyFileName = "#{assembly_filename}"
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+Remove-Item -Path $InstallerAssemblyFullPath
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - InstallUtil class constructor method call
+Executes the installer assembly class constructor.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1|
+| assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP\|
+| assembly_filename | filename of the compiled installer assembly | String | T1118.dll|
+| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | Executable|
+
+
+#### Attack Commands: Run with `powershell`! 
+```
+# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+. #{test_harness}
+
+$InstallerAssemblyDir = "#{assembly_dir}"
+$InstallerAssemblyFileName = "#{assembly_filename}"
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+$CommandLine = "/logfile= /logtoconsole=false `"$InstallerAssemblyFullPath`""
+$ExpectedOutput = 'Constructor_'
+
+$TestArgs = @{
+    OutputAssemblyDirectory = $InstallerAssemblyDir
+    OutputAssemblyFileName = $InstallerAssemblyFileName
+    InvocationMethod = '#{invocation_method}'
+    CommandLine = $CommandLine
+}
+
+$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
+
+if ($ActualOutput -ne $ExpectedOutput) {
+    throw @"
+InstallUtil class constructor execution test failure. Installer assembly execution output did not match the expected output.
+Expected: $ExpectedOutput
+Actual: $ActualOutput
+"@
+}
+```
+
+#### Cleanup Commands:
+```
+$InstallerAssemblyDir = "#{assembly_dir}"
+$InstallerAssemblyFileName = "#{assembly_filename}"
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+Remove-Item -Path $InstallerAssemblyFullPath
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - InstallUtil Install method call
+Executes the Install Method
+
+**Supported Platforms:** Windows
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1|
+| assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP\|
+| assembly_filename | filename of the compiled installer assembly | String | T1118.dll|
+| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | Executable|
+
+
+#### Attack Commands: Run with `powershell`! 
+```
+# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+. #{test_harness}
+
+$InstallerAssemblyDir = "#{assembly_dir}"
+$InstallerAssemblyFileName = "#{assembly_filename}"
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+$CommandLine = "/logfile= /logtoconsole=false /installtype=notransaction /action=install `"$InstallerAssemblyFullPath`""
+$ExpectedOutput = 'Constructor_Install_'
+
+$TestArgs = @{
+    OutputAssemblyDirectory = $InstallerAssemblyDir
+    OutputAssemblyFileName = $InstallerAssemblyFileName
+    InvocationMethod = '#{invocation_method}'
+    CommandLine = $CommandLine
+}
+
+$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
+
+if ($ActualOutput -ne $ExpectedOutput) {
+    throw @"
+InstallUtil Install method execution test failure. Installer assembly execution output did not match the expected output.
+Expected: $ExpectedOutput
+Actual: $ActualOutput
+"@
+}
+```
+
+#### Cleanup Commands:
+```
+$InstallerAssemblyDir = "#{assembly_dir}"
+$InstallerAssemblyFileName = "#{assembly_filename}"
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+Remove-Item -Path $InstallerAssemblyFullPath
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - InstallUtil Uninstall method call - /U variant
 Executes the Uninstall Method
 
 **Supported Platforms:** Windows
@@ -22,41 +276,59 @@ Executes the Uninstall Method
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| output_file | location of the payload | Path | %tmp%\T1118.dll|
-| source | location of the source code to compile | Path | PathToAtomicsFolder\T1118\src\T1118.cs|
+| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1|
+| assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP\|
+| assembly_filename | filename of the compiled installer assembly | String | T1118.dll|
+| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | Executable|
 
 
-#### Attack Commands: Run with `command_prompt`! 
+#### Attack Commands: Run with `powershell`! 
 ```
-C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{output_file}  #{source}
-C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{output_file}
+# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+. #{test_harness}
+
+$InstallerAssemblyDir = "#{assembly_dir}"
+$InstallerAssemblyFileName = "#{assembly_filename}"
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+$CommandLine = "/logfile= /logtoconsole=false /U `"$InstallerAssemblyFullPath`""
+$ExpectedOutput = 'Constructor_Uninstall_'
+
+$TestArgs = @{
+    OutputAssemblyDirectory = $InstallerAssemblyDir
+    OutputAssemblyFileName = $InstallerAssemblyFileName
+    InvocationMethod = '#{invocation_method}'
+    CommandLine = $CommandLine
+}
+
+$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
+
+if ($ActualOutput -ne $ExpectedOutput) {
+    throw @"
+InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.
+Expected: $ExpectedOutput
+Actual: $ActualOutput
+"@
+}
 ```
 
 #### Cleanup Commands:
 ```
-del #{output_file} >nul 2>&1
+$InstallerAssemblyDir = "#{assembly_dir}"
+$InstallerAssemblyFileName = "#{assembly_filename}"
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+Remove-Item -Path $InstallerAssemblyFullPath
 ```
 
 
-#### Dependencies:  Run with `powershell`!
-##### Description: Source code must exist on disk at specified location (#{source})
-##### Check Prereq Commands:
-```
-if (Test-Path #{source}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```
-New-Item -Type Directory (split-path #{source}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/T1118.cs" -OutFile "#{source}"
-```
-
 
 
 
 <br/>
 <br/>
 
-## Atomic Test #2 - InstallUtil GetHelp method call
+## Atomic Test #6 - InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant
 Executes the Uninstall Method
 
 **Supported Platforms:** Windows
@@ -65,34 +337,176 @@ Executes the Uninstall Method
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| output_file | location of the payload | Path | %tmp%\T1118.dll|
-| source | location of the source code to compile | Path | PathToAtomicsFolder\T1118\src\T1118.cs|
+| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1|
+| assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP\|
+| assembly_filename | filename of the compiled installer assembly | String | T1118.dll|
+| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | Executable|
 
 
-#### Attack Commands: Run with `command_prompt`! 
+#### Attack Commands: Run with `powershell`! 
 ```
-C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{output_file} #{source}
-C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? #{output_file}
+# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+. #{test_harness}
+
+$InstallerAssemblyDir = "#{assembly_dir}"
+$InstallerAssemblyFileName = "#{assembly_filename}"
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+$CommandLine = "/logfile= /logtoconsole=false /installtype=notransaction /action=uninstall `"$InstallerAssemblyFullPath`""
+$ExpectedOutput = 'Constructor_Uninstall_'
+
+$TestArgs = @{
+    OutputAssemblyDirectory = $InstallerAssemblyDir
+    OutputAssemblyFileName = $InstallerAssemblyFileName
+    InvocationMethod = '#{invocation_method}'
+    CommandLine = $CommandLine
+}
+
+$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
+
+if ($ActualOutput -ne $ExpectedOutput) {
+    throw @"
+InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.
+Expected: $ExpectedOutput
+Actual: $ActualOutput
+"@
+}
 ```
 
 #### Cleanup Commands:
 ```
-del #{output_file} >nul 2>&1
+$InstallerAssemblyDir = "#{assembly_dir}"
+$InstallerAssemblyFileName = "#{assembly_filename}"
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+Remove-Item -Path $InstallerAssemblyFullPath
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #7 - InstallUtil HelpText method call
+Executes the Uninstall Method
+
+**Supported Platforms:** Windows
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1|
+| assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP\|
+| assembly_filename | filename of the compiled installer assembly | String | T1118.dll|
+| invocation_method | the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable | String | Executable|
+
+
+#### Attack Commands: Run with `powershell`! 
+```
+# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+. #{test_harness}
+
+$InstallerAssemblyDir = "#{assembly_dir}"
+$InstallerAssemblyFileName = "#{assembly_filename}"
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+$CommandLine = "/? `"$InstallerAssemblyFullPath`""
+$ExpectedOutput = 'Constructor_HelpText_'
+
+$TestArgs = @{
+    OutputAssemblyDirectory = $InstallerAssemblyDir
+    OutputAssemblyFileName = $InstallerAssemblyFileName
+    InvocationMethod = '#{invocation_method}'
+    CommandLine = $CommandLine
+}
+
+$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
+
+if ($ActualOutput -ne $ExpectedOutput) {
+    throw @"
+InstallUtil HelpText property execution test failure. Installer assembly execution output did not match the expected output.
+Expected: $ExpectedOutput
+Actual: $ActualOutput
+"@
+}
+```
+
+#### Cleanup Commands:
+```
+$InstallerAssemblyDir = "#{assembly_dir}"
+$InstallerAssemblyFileName = "#{assembly_filename}"
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+Remove-Item -Path $InstallerAssemblyFullPath
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #8 - InstallUtil evasive invocation
+Executes an InstallUtil assembly by renaming InstallUtil.exe and using a nonstandard extension for the assembly.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1|
+
+
+#### Attack Commands: Run with `powershell`! 
+```
+# Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+. #{test_harness}
+
+$InstallerAssemblyDir = "$Env:windir\System32\Tasks"
+$InstallerAssemblyFileName = 'readme.txt'
+$InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+$CommandLine = "readme.txt"
+$ExpectedOutput = 'Constructor_'
+
+# Explicitly set the directory so that a relative path to readme.txt can be supplied.
+Set-Location "$Env:windir\System32\Tasks"
+
+Copy-Item -Path "$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())InstallUtil.exe" -Destination "$Env:windir\System32\Tasks\notepad.exe"
+
+$TestArgs = @{
+    OutputAssemblyDirectory = $InstallerAssemblyDir
+    OutputAssemblyFileName = $InstallerAssemblyFileName
+    InvocationMethod = 'Executable'
+    CommandLine = $CommandLine
+    InstallUtilPath = "$Env:windir\System32\Tasks\notepad.exe"
+}
+
+$ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
+
+if ($ActualOutput -ne $ExpectedOutput) {
+    throw @"
+Evasive Installutil invocation test failure. Installer assembly execution output did not match the expected output.
+Expected: $ExpectedOutput
+Actual: $ActualOutput
+"@
+}
+```
+
+#### Cleanup Commands:
+```
+Remove-Item -Path "$Env:windir\System32\Tasks\readme.txt"
+Remove-Item -Path "$Env:windir\System32\Tasks\readme.InstallLog"
+Remove-Item -Path "$Env:windir\System32\Tasks\readme.InstallState"
+Remove-Item -Path "$Env:windir\System32\Tasks\notepad.exe"
 ```
 
 
-#### Dependencies:  Run with `powershell`!
-##### Description: Source code must exist on disk at specified location (#{source})
-##### Check Prereq Commands:
-```
-if (Test-Path #{source}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```
-New-Item -Type Directory (split-path #{source}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/T1118.cs" -OutFile "#{source}"
-```
-
 
 
 
diff --git a/atomics/index.md b/atomics/index.md
index f7f715d7..0f1f53c6 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -292,8 +292,14 @@
 - [T1130 Install Root Certificate](./T1130/T1130.md)
   - Atomic Test #1: Install root CA on CentOS/RHEL [linux]
 - [T1118 InstallUtil](./T1118/T1118.md)
-  - Atomic Test #1: InstallUtil uninstall method call [windows]
-  - Atomic Test #2: InstallUtil GetHelp method call [windows]
+  - Atomic Test #1: CheckIfInstallable method call [windows]
+  - Atomic Test #2: InstallHelper method call [windows]
+  - Atomic Test #3: InstallUtil class constructor method call [windows]
+  - Atomic Test #4: InstallUtil Install method call [windows]
+  - Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows]
+  - Atomic Test #6: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant [windows]
+  - Atomic Test #7: InstallUtil HelpText method call [windows]
+  - Atomic Test #8: InstallUtil evasive invocation [windows]
 - T1149 LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1152 Launchctl](./T1152/T1152.md)
   - Atomic Test #1: Launchctl [macos]
@@ -727,8 +733,14 @@
 - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1118 InstallUtil](./T1118/T1118.md)
-  - Atomic Test #1: InstallUtil uninstall method call [windows]
-  - Atomic Test #2: InstallUtil GetHelp method call [windows]
+  - Atomic Test #1: CheckIfInstallable method call [windows]
+  - Atomic Test #2: InstallHelper method call [windows]
+  - Atomic Test #3: InstallUtil class constructor method call [windows]
+  - Atomic Test #4: InstallUtil Install method call [windows]
+  - Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows]
+  - Atomic Test #6: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant [windows]
+  - Atomic Test #7: InstallUtil HelpText method call [windows]
+  - Atomic Test #8: InstallUtil evasive invocation [windows]
 - T1177 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1152 Launchctl](./T1152/T1152.md)
   - Atomic Test #1: Launchctl [macos]
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 28c089d6..5289f095 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -9120,68 +9120,480 @@ defense-evasion:
       - Digital Certificate Validation
       identifier: T1118
     atomic_tests:
-    - name: InstallUtil uninstall method call
+    - name: CheckIfInstallable method call
+      description: 'Executes the CheckIfInstallable class constructor runner instead
+        of executing InstallUtil.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        test_harness:
+          description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
+          type: Path
+          default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+        assembly_dir:
+          description: directory to drop the compiled installer assembly
+          type: Path
+          default: "$Env:TEMP\\"
+        assembly_filename:
+          description: filename of the compiled installer assembly
+          type: String
+          default: T1118.dll
+        invocation_method:
+          description: the type of InstallUtil invocation variant - Executable, InstallHelper,
+            or CheckIfInstallable
+          type: String
+          default: CheckIfInstallable
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+          . #{test_harness}
+
+          $InstallerAssemblyDir = "#{assembly_dir}"
+          $InstallerAssemblyFileName = "#{assembly_filename}"
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          $ExpectedOutput = 'Constructor_'
+
+          $TestArgs = @{
+              OutputAssemblyDirectory = $InstallerAssemblyDir
+              OutputAssemblyFileName = $InstallerAssemblyFileName
+              InvocationMethod = '#{invocation_method}'
+          }
+
+          $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
+
+          if ($ActualOutput -ne $ExpectedOutput) {
+              throw @"
+          CheckIfInstallable method execution test failure. Installer assembly execution output did not match the expected output.
+          Expected: $ExpectedOutput
+          Actual: $ActualOutput
+          "@
+          }
+        cleanup_command: |
+          $InstallerAssemblyDir = "#{assembly_dir}"
+          $InstallerAssemblyFileName = "#{assembly_filename}"
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          Remove-Item -Path $InstallerAssemblyFullPath
+    - name: InstallHelper method call
+      description: 'Executes the InstallHelper class constructor runner instead of
+        executing InstallUtil.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        test_harness:
+          description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
+          type: Path
+          default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+        assembly_dir:
+          description: directory to drop the compiled installer assembly
+          type: Path
+          default: "$Env:TEMP\\"
+        assembly_filename:
+          description: filename of the compiled installer assembly
+          type: String
+          default: T1118.dll
+        invocation_method:
+          description: the type of InstallUtil invocation variant - Executable, InstallHelper,
+            or CheckIfInstallable
+          type: String
+          default: InstallHelper
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+          . #{test_harness}
+
+          $InstallerAssemblyDir = "#{assembly_dir}"
+          $InstallerAssemblyFileName = "#{assembly_filename}"
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          $CommandLine = "/logfile= /logtoconsole=false `"$InstallerAssemblyFullPath`""
+          $ExpectedOutput = 'Constructor_'
+
+          $TestArgs = @{
+              OutputAssemblyDirectory = $InstallerAssemblyDir
+              OutputAssemblyFileName = $InstallerAssemblyFileName
+              InvocationMethod = '#{invocation_method}'
+              CommandLine = $CommandLine
+          }
+
+          $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
+
+          if ($ActualOutput -ne $ExpectedOutput) {
+              throw @"
+          InstallHelper method execution test failure. Installer assembly execution output did not match the expected output.
+          Expected: $ExpectedOutput
+          Actual: $ActualOutput
+          "@
+          }
+        cleanup_command: |
+          $InstallerAssemblyDir = "#{assembly_dir}"
+          $InstallerAssemblyFileName = "#{assembly_filename}"
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          Remove-Item -Path $InstallerAssemblyFullPath
+    - name: InstallUtil class constructor method call
+      description: 'Executes the installer assembly class constructor.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        test_harness:
+          description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
+          type: Path
+          default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+        assembly_dir:
+          description: directory to drop the compiled installer assembly
+          type: Path
+          default: "$Env:TEMP\\"
+        assembly_filename:
+          description: filename of the compiled installer assembly
+          type: String
+          default: T1118.dll
+        invocation_method:
+          description: the type of InstallUtil invocation variant - Executable, InstallHelper,
+            or CheckIfInstallable
+          type: String
+          default: Executable
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+          . #{test_harness}
+
+          $InstallerAssemblyDir = "#{assembly_dir}"
+          $InstallerAssemblyFileName = "#{assembly_filename}"
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          $CommandLine = "/logfile= /logtoconsole=false `"$InstallerAssemblyFullPath`""
+          $ExpectedOutput = 'Constructor_'
+
+          $TestArgs = @{
+              OutputAssemblyDirectory = $InstallerAssemblyDir
+              OutputAssemblyFileName = $InstallerAssemblyFileName
+              InvocationMethod = '#{invocation_method}'
+              CommandLine = $CommandLine
+          }
+
+          $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
+
+          if ($ActualOutput -ne $ExpectedOutput) {
+              throw @"
+          InstallUtil class constructor execution test failure. Installer assembly execution output did not match the expected output.
+          Expected: $ExpectedOutput
+          Actual: $ActualOutput
+          "@
+          }
+        cleanup_command: |
+          $InstallerAssemblyDir = "#{assembly_dir}"
+          $InstallerAssemblyFileName = "#{assembly_filename}"
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          Remove-Item -Path $InstallerAssemblyFullPath
+    - name: InstallUtil Install method call
+      description: 'Executes the Install Method
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        test_harness:
+          description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
+          type: Path
+          default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+        assembly_dir:
+          description: directory to drop the compiled installer assembly
+          type: Path
+          default: "$Env:TEMP\\"
+        assembly_filename:
+          description: filename of the compiled installer assembly
+          type: String
+          default: T1118.dll
+        invocation_method:
+          description: the type of InstallUtil invocation variant - Executable, InstallHelper,
+            or CheckIfInstallable
+          type: String
+          default: Executable
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+          . #{test_harness}
+
+          $InstallerAssemblyDir = "#{assembly_dir}"
+          $InstallerAssemblyFileName = "#{assembly_filename}"
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          $CommandLine = "/logfile= /logtoconsole=false /installtype=notransaction /action=install `"$InstallerAssemblyFullPath`""
+          $ExpectedOutput = 'Constructor_Install_'
+
+          $TestArgs = @{
+              OutputAssemblyDirectory = $InstallerAssemblyDir
+              OutputAssemblyFileName = $InstallerAssemblyFileName
+              InvocationMethod = '#{invocation_method}'
+              CommandLine = $CommandLine
+          }
+
+          $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
+
+          if ($ActualOutput -ne $ExpectedOutput) {
+              throw @"
+          InstallUtil Install method execution test failure. Installer assembly execution output did not match the expected output.
+          Expected: $ExpectedOutput
+          Actual: $ActualOutput
+          "@
+          }
+        cleanup_command: |
+          $InstallerAssemblyDir = "#{assembly_dir}"
+          $InstallerAssemblyFileName = "#{assembly_filename}"
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          Remove-Item -Path $InstallerAssemblyFullPath
+    - name: InstallUtil Uninstall method call - /U variant
       description: 'Executes the Uninstall Method
 
 '
       supported_platforms:
       - windows
       input_arguments:
-        output_file:
-          description: location of the payload
+        test_harness:
+          description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
           type: Path
-          default: "%tmp%\\T1118.dll"
-        source:
-          description: location of the source code to compile
+          default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+        assembly_dir:
+          description: directory to drop the compiled installer assembly
           type: Path
-          default: PathToAtomicsFolder\T1118\src\T1118.cs
-      dependency_executor_name: powershell
-      dependencies:
-      - description: Source code must exist on disk at specified location (#{source})
-        prereq_command: 'if (Test-Path #{source}) {exit 0} else {exit 1}'
-        get_prereq_command: |-
-          New-Item -Type Directory (split-path #{source}) -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/T1118.cs" -OutFile "#{source}"
+          default: "$Env:TEMP\\"
+        assembly_filename:
+          description: filename of the compiled installer assembly
+          type: String
+          default: T1118.dll
+        invocation_method:
+          description: the type of InstallUtil invocation variant - Executable, InstallHelper,
+            or CheckIfInstallable
+          type: String
+          default: Executable
       executor:
-        name: command_prompt
+        name: powershell
         elevation_required: false
         command: |
-          C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{output_file}  #{source}
-          C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{output_file}
-        cleanup_command: 'del #{output_file} >nul 2>&1
+          # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+          . #{test_harness}
 
-'
-    - name: InstallUtil GetHelp method call
+          $InstallerAssemblyDir = "#{assembly_dir}"
+          $InstallerAssemblyFileName = "#{assembly_filename}"
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          $CommandLine = "/logfile= /logtoconsole=false /U `"$InstallerAssemblyFullPath`""
+          $ExpectedOutput = 'Constructor_Uninstall_'
+
+          $TestArgs = @{
+              OutputAssemblyDirectory = $InstallerAssemblyDir
+              OutputAssemblyFileName = $InstallerAssemblyFileName
+              InvocationMethod = '#{invocation_method}'
+              CommandLine = $CommandLine
+          }
+
+          $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
+
+          if ($ActualOutput -ne $ExpectedOutput) {
+              throw @"
+          InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.
+          Expected: $ExpectedOutput
+          Actual: $ActualOutput
+          "@
+          }
+        cleanup_command: |
+          $InstallerAssemblyDir = "#{assembly_dir}"
+          $InstallerAssemblyFileName = "#{assembly_filename}"
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          Remove-Item -Path $InstallerAssemblyFullPath
+    - name: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall'
+        variant
       description: 'Executes the Uninstall Method
 
 '
       supported_platforms:
       - windows
       input_arguments:
-        output_file:
-          description: location of the payload
+        test_harness:
+          description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
           type: Path
-          default: "%tmp%\\T1118.dll"
-        source:
-          description: location of the source code to compile
+          default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+        assembly_dir:
+          description: directory to drop the compiled installer assembly
           type: Path
-          default: PathToAtomicsFolder\T1118\src\T1118.cs
-      dependency_executor_name: powershell
-      dependencies:
-      - description: Source code must exist on disk at specified location (#{source})
-        prereq_command: 'if (Test-Path #{source}) {exit 0} else {exit 1}'
-        get_prereq_command: |-
-          New-Item -Type Directory (split-path #{source}) -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/T1118.cs" -OutFile "#{source}"
+          default: "$Env:TEMP\\"
+        assembly_filename:
+          description: filename of the compiled installer assembly
+          type: String
+          default: T1118.dll
+        invocation_method:
+          description: the type of InstallUtil invocation variant - Executable, InstallHelper,
+            or CheckIfInstallable
+          type: String
+          default: Executable
       executor:
-        name: command_prompt
+        name: powershell
         elevation_required: false
         command: |
-          C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{output_file} #{source}
-          C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? #{output_file}
-        cleanup_command: 'del #{output_file} >nul 2>&1
+          # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+          . #{test_harness}
+
+          $InstallerAssemblyDir = "#{assembly_dir}"
+          $InstallerAssemblyFileName = "#{assembly_filename}"
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          $CommandLine = "/logfile= /logtoconsole=false /installtype=notransaction /action=uninstall `"$InstallerAssemblyFullPath`""
+          $ExpectedOutput = 'Constructor_Uninstall_'
+
+          $TestArgs = @{
+              OutputAssemblyDirectory = $InstallerAssemblyDir
+              OutputAssemblyFileName = $InstallerAssemblyFileName
+              InvocationMethod = '#{invocation_method}'
+              CommandLine = $CommandLine
+          }
+
+          $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
+
+          if ($ActualOutput -ne $ExpectedOutput) {
+              throw @"
+          InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.
+          Expected: $ExpectedOutput
+          Actual: $ActualOutput
+          "@
+          }
+        cleanup_command: |
+          $InstallerAssemblyDir = "#{assembly_dir}"
+          $InstallerAssemblyFileName = "#{assembly_filename}"
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          Remove-Item -Path $InstallerAssemblyFullPath
+    - name: InstallUtil HelpText method call
+      description: 'Executes the Uninstall Method
 
 '
+      supported_platforms:
+      - windows
+      input_arguments:
+        test_harness:
+          description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
+          type: Path
+          default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+        assembly_dir:
+          description: directory to drop the compiled installer assembly
+          type: Path
+          default: "$Env:TEMP\\"
+        assembly_filename:
+          description: filename of the compiled installer assembly
+          type: String
+          default: T1118.dll
+        invocation_method:
+          description: the type of InstallUtil invocation variant - Executable, InstallHelper,
+            or CheckIfInstallable
+          type: String
+          default: Executable
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+          . #{test_harness}
+
+          $InstallerAssemblyDir = "#{assembly_dir}"
+          $InstallerAssemblyFileName = "#{assembly_filename}"
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          $CommandLine = "/? `"$InstallerAssemblyFullPath`""
+          $ExpectedOutput = 'Constructor_HelpText_'
+
+          $TestArgs = @{
+              OutputAssemblyDirectory = $InstallerAssemblyDir
+              OutputAssemblyFileName = $InstallerAssemblyFileName
+              InvocationMethod = '#{invocation_method}'
+              CommandLine = $CommandLine
+          }
+
+          $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
+
+          if ($ActualOutput -ne $ExpectedOutput) {
+              throw @"
+          InstallUtil HelpText property execution test failure. Installer assembly execution output did not match the expected output.
+          Expected: $ExpectedOutput
+          Actual: $ActualOutput
+          "@
+          }
+        cleanup_command: |
+          $InstallerAssemblyDir = "#{assembly_dir}"
+          $InstallerAssemblyFileName = "#{assembly_filename}"
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          Remove-Item -Path $InstallerAssemblyFullPath
+    - name: InstallUtil evasive invocation
+      description: 'Executes an InstallUtil assembly by renaming InstallUtil.exe and
+        using a nonstandard extension for the assembly.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        test_harness:
+          description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
+          type: Path
+          default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+          . #{test_harness}
+
+          $InstallerAssemblyDir = "$Env:windir\System32\Tasks"
+          $InstallerAssemblyFileName = 'readme.txt'
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          $CommandLine = "readme.txt"
+          $ExpectedOutput = 'Constructor_'
+
+          # Explicitly set the directory so that a relative path to readme.txt can be supplied.
+          Set-Location "$Env:windir\System32\Tasks"
+
+          Copy-Item -Path "$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())InstallUtil.exe" -Destination "$Env:windir\System32\Tasks\notepad.exe"
+
+          $TestArgs = @{
+              OutputAssemblyDirectory = $InstallerAssemblyDir
+              OutputAssemblyFileName = $InstallerAssemblyFileName
+              InvocationMethod = 'Executable'
+              CommandLine = $CommandLine
+              InstallUtilPath = "$Env:windir\System32\Tasks\notepad.exe"
+          }
+
+          $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
+
+          if ($ActualOutput -ne $ExpectedOutput) {
+              throw @"
+          Evasive Installutil invocation test failure. Installer assembly execution output did not match the expected output.
+          Expected: $ExpectedOutput
+          Actual: $ActualOutput
+          "@
+          }
+        cleanup_command: |-
+          Remove-Item -Path "$Env:windir\System32\Tasks\readme.txt"
+          Remove-Item -Path "$Env:windir\System32\Tasks\readme.InstallLog"
+          Remove-Item -Path "$Env:windir\System32\Tasks\readme.InstallState"
+          Remove-Item -Path "$Env:windir\System32\Tasks\notepad.exe"
   T1152:
     technique:
       x_mitre_permissions_required:
@@ -21813,68 +22225,480 @@ execution:
       - Digital Certificate Validation
       identifier: T1118
     atomic_tests:
-    - name: InstallUtil uninstall method call
+    - name: CheckIfInstallable method call
+      description: 'Executes the CheckIfInstallable class constructor runner instead
+        of executing InstallUtil.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        test_harness:
+          description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
+          type: Path
+          default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+        assembly_dir:
+          description: directory to drop the compiled installer assembly
+          type: Path
+          default: "$Env:TEMP\\"
+        assembly_filename:
+          description: filename of the compiled installer assembly
+          type: String
+          default: T1118.dll
+        invocation_method:
+          description: the type of InstallUtil invocation variant - Executable, InstallHelper,
+            or CheckIfInstallable
+          type: String
+          default: CheckIfInstallable
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+          . #{test_harness}
+
+          $InstallerAssemblyDir = "#{assembly_dir}"
+          $InstallerAssemblyFileName = "#{assembly_filename}"
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          $ExpectedOutput = 'Constructor_'
+
+          $TestArgs = @{
+              OutputAssemblyDirectory = $InstallerAssemblyDir
+              OutputAssemblyFileName = $InstallerAssemblyFileName
+              InvocationMethod = '#{invocation_method}'
+          }
+
+          $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
+
+          if ($ActualOutput -ne $ExpectedOutput) {
+              throw @"
+          CheckIfInstallable method execution test failure. Installer assembly execution output did not match the expected output.
+          Expected: $ExpectedOutput
+          Actual: $ActualOutput
+          "@
+          }
+        cleanup_command: |
+          $InstallerAssemblyDir = "#{assembly_dir}"
+          $InstallerAssemblyFileName = "#{assembly_filename}"
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          Remove-Item -Path $InstallerAssemblyFullPath
+    - name: InstallHelper method call
+      description: 'Executes the InstallHelper class constructor runner instead of
+        executing InstallUtil.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        test_harness:
+          description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
+          type: Path
+          default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+        assembly_dir:
+          description: directory to drop the compiled installer assembly
+          type: Path
+          default: "$Env:TEMP\\"
+        assembly_filename:
+          description: filename of the compiled installer assembly
+          type: String
+          default: T1118.dll
+        invocation_method:
+          description: the type of InstallUtil invocation variant - Executable, InstallHelper,
+            or CheckIfInstallable
+          type: String
+          default: InstallHelper
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+          . #{test_harness}
+
+          $InstallerAssemblyDir = "#{assembly_dir}"
+          $InstallerAssemblyFileName = "#{assembly_filename}"
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          $CommandLine = "/logfile= /logtoconsole=false `"$InstallerAssemblyFullPath`""
+          $ExpectedOutput = 'Constructor_'
+
+          $TestArgs = @{
+              OutputAssemblyDirectory = $InstallerAssemblyDir
+              OutputAssemblyFileName = $InstallerAssemblyFileName
+              InvocationMethod = '#{invocation_method}'
+              CommandLine = $CommandLine
+          }
+
+          $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
+
+          if ($ActualOutput -ne $ExpectedOutput) {
+              throw @"
+          InstallHelper method execution test failure. Installer assembly execution output did not match the expected output.
+          Expected: $ExpectedOutput
+          Actual: $ActualOutput
+          "@
+          }
+        cleanup_command: |
+          $InstallerAssemblyDir = "#{assembly_dir}"
+          $InstallerAssemblyFileName = "#{assembly_filename}"
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          Remove-Item -Path $InstallerAssemblyFullPath
+    - name: InstallUtil class constructor method call
+      description: 'Executes the installer assembly class constructor.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        test_harness:
+          description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
+          type: Path
+          default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+        assembly_dir:
+          description: directory to drop the compiled installer assembly
+          type: Path
+          default: "$Env:TEMP\\"
+        assembly_filename:
+          description: filename of the compiled installer assembly
+          type: String
+          default: T1118.dll
+        invocation_method:
+          description: the type of InstallUtil invocation variant - Executable, InstallHelper,
+            or CheckIfInstallable
+          type: String
+          default: Executable
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+          . #{test_harness}
+
+          $InstallerAssemblyDir = "#{assembly_dir}"
+          $InstallerAssemblyFileName = "#{assembly_filename}"
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          $CommandLine = "/logfile= /logtoconsole=false `"$InstallerAssemblyFullPath`""
+          $ExpectedOutput = 'Constructor_'
+
+          $TestArgs = @{
+              OutputAssemblyDirectory = $InstallerAssemblyDir
+              OutputAssemblyFileName = $InstallerAssemblyFileName
+              InvocationMethod = '#{invocation_method}'
+              CommandLine = $CommandLine
+          }
+
+          $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
+
+          if ($ActualOutput -ne $ExpectedOutput) {
+              throw @"
+          InstallUtil class constructor execution test failure. Installer assembly execution output did not match the expected output.
+          Expected: $ExpectedOutput
+          Actual: $ActualOutput
+          "@
+          }
+        cleanup_command: |
+          $InstallerAssemblyDir = "#{assembly_dir}"
+          $InstallerAssemblyFileName = "#{assembly_filename}"
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          Remove-Item -Path $InstallerAssemblyFullPath
+    - name: InstallUtil Install method call
+      description: 'Executes the Install Method
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        test_harness:
+          description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
+          type: Path
+          default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+        assembly_dir:
+          description: directory to drop the compiled installer assembly
+          type: Path
+          default: "$Env:TEMP\\"
+        assembly_filename:
+          description: filename of the compiled installer assembly
+          type: String
+          default: T1118.dll
+        invocation_method:
+          description: the type of InstallUtil invocation variant - Executable, InstallHelper,
+            or CheckIfInstallable
+          type: String
+          default: Executable
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+          . #{test_harness}
+
+          $InstallerAssemblyDir = "#{assembly_dir}"
+          $InstallerAssemblyFileName = "#{assembly_filename}"
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          $CommandLine = "/logfile= /logtoconsole=false /installtype=notransaction /action=install `"$InstallerAssemblyFullPath`""
+          $ExpectedOutput = 'Constructor_Install_'
+
+          $TestArgs = @{
+              OutputAssemblyDirectory = $InstallerAssemblyDir
+              OutputAssemblyFileName = $InstallerAssemblyFileName
+              InvocationMethod = '#{invocation_method}'
+              CommandLine = $CommandLine
+          }
+
+          $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
+
+          if ($ActualOutput -ne $ExpectedOutput) {
+              throw @"
+          InstallUtil Install method execution test failure. Installer assembly execution output did not match the expected output.
+          Expected: $ExpectedOutput
+          Actual: $ActualOutput
+          "@
+          }
+        cleanup_command: |
+          $InstallerAssemblyDir = "#{assembly_dir}"
+          $InstallerAssemblyFileName = "#{assembly_filename}"
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          Remove-Item -Path $InstallerAssemblyFullPath
+    - name: InstallUtil Uninstall method call - /U variant
       description: 'Executes the Uninstall Method
 
 '
       supported_platforms:
       - windows
       input_arguments:
-        output_file:
-          description: location of the payload
+        test_harness:
+          description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
           type: Path
-          default: "%tmp%\\T1118.dll"
-        source:
-          description: location of the source code to compile
+          default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+        assembly_dir:
+          description: directory to drop the compiled installer assembly
           type: Path
-          default: PathToAtomicsFolder\T1118\src\T1118.cs
-      dependency_executor_name: powershell
-      dependencies:
-      - description: Source code must exist on disk at specified location (#{source})
-        prereq_command: 'if (Test-Path #{source}) {exit 0} else {exit 1}'
-        get_prereq_command: |-
-          New-Item -Type Directory (split-path #{source}) -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/T1118.cs" -OutFile "#{source}"
+          default: "$Env:TEMP\\"
+        assembly_filename:
+          description: filename of the compiled installer assembly
+          type: String
+          default: T1118.dll
+        invocation_method:
+          description: the type of InstallUtil invocation variant - Executable, InstallHelper,
+            or CheckIfInstallable
+          type: String
+          default: Executable
       executor:
-        name: command_prompt
+        name: powershell
         elevation_required: false
         command: |
-          C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{output_file}  #{source}
-          C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{output_file}
-        cleanup_command: 'del #{output_file} >nul 2>&1
+          # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+          . #{test_harness}
 
-'
-    - name: InstallUtil GetHelp method call
+          $InstallerAssemblyDir = "#{assembly_dir}"
+          $InstallerAssemblyFileName = "#{assembly_filename}"
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          $CommandLine = "/logfile= /logtoconsole=false /U `"$InstallerAssemblyFullPath`""
+          $ExpectedOutput = 'Constructor_Uninstall_'
+
+          $TestArgs = @{
+              OutputAssemblyDirectory = $InstallerAssemblyDir
+              OutputAssemblyFileName = $InstallerAssemblyFileName
+              InvocationMethod = '#{invocation_method}'
+              CommandLine = $CommandLine
+          }
+
+          $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
+
+          if ($ActualOutput -ne $ExpectedOutput) {
+              throw @"
+          InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.
+          Expected: $ExpectedOutput
+          Actual: $ActualOutput
+          "@
+          }
+        cleanup_command: |
+          $InstallerAssemblyDir = "#{assembly_dir}"
+          $InstallerAssemblyFileName = "#{assembly_filename}"
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          Remove-Item -Path $InstallerAssemblyFullPath
+    - name: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall'
+        variant
       description: 'Executes the Uninstall Method
 
 '
       supported_platforms:
       - windows
       input_arguments:
-        output_file:
-          description: location of the payload
+        test_harness:
+          description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
           type: Path
-          default: "%tmp%\\T1118.dll"
-        source:
-          description: location of the source code to compile
+          default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+        assembly_dir:
+          description: directory to drop the compiled installer assembly
           type: Path
-          default: PathToAtomicsFolder\T1118\src\T1118.cs
-      dependency_executor_name: powershell
-      dependencies:
-      - description: Source code must exist on disk at specified location (#{source})
-        prereq_command: 'if (Test-Path #{source}) {exit 0} else {exit 1}'
-        get_prereq_command: |-
-          New-Item -Type Directory (split-path #{source}) -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1118/src/T1118.cs" -OutFile "#{source}"
+          default: "$Env:TEMP\\"
+        assembly_filename:
+          description: filename of the compiled installer assembly
+          type: String
+          default: T1118.dll
+        invocation_method:
+          description: the type of InstallUtil invocation variant - Executable, InstallHelper,
+            or CheckIfInstallable
+          type: String
+          default: Executable
       executor:
-        name: command_prompt
+        name: powershell
         elevation_required: false
         command: |
-          C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:#{output_file} #{source}
-          C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? #{output_file}
-        cleanup_command: 'del #{output_file} >nul 2>&1
+          # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+          . #{test_harness}
+
+          $InstallerAssemblyDir = "#{assembly_dir}"
+          $InstallerAssemblyFileName = "#{assembly_filename}"
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          $CommandLine = "/logfile= /logtoconsole=false /installtype=notransaction /action=uninstall `"$InstallerAssemblyFullPath`""
+          $ExpectedOutput = 'Constructor_Uninstall_'
+
+          $TestArgs = @{
+              OutputAssemblyDirectory = $InstallerAssemblyDir
+              OutputAssemblyFileName = $InstallerAssemblyFileName
+              InvocationMethod = '#{invocation_method}'
+              CommandLine = $CommandLine
+          }
+
+          $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
+
+          if ($ActualOutput -ne $ExpectedOutput) {
+              throw @"
+          InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.
+          Expected: $ExpectedOutput
+          Actual: $ActualOutput
+          "@
+          }
+        cleanup_command: |
+          $InstallerAssemblyDir = "#{assembly_dir}"
+          $InstallerAssemblyFileName = "#{assembly_filename}"
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          Remove-Item -Path $InstallerAssemblyFullPath
+    - name: InstallUtil HelpText method call
+      description: 'Executes the Uninstall Method
 
 '
+      supported_platforms:
+      - windows
+      input_arguments:
+        test_harness:
+          description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
+          type: Path
+          default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+        assembly_dir:
+          description: directory to drop the compiled installer assembly
+          type: Path
+          default: "$Env:TEMP\\"
+        assembly_filename:
+          description: filename of the compiled installer assembly
+          type: String
+          default: T1118.dll
+        invocation_method:
+          description: the type of InstallUtil invocation variant - Executable, InstallHelper,
+            or CheckIfInstallable
+          type: String
+          default: Executable
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+          . #{test_harness}
+
+          $InstallerAssemblyDir = "#{assembly_dir}"
+          $InstallerAssemblyFileName = "#{assembly_filename}"
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          $CommandLine = "/? `"$InstallerAssemblyFullPath`""
+          $ExpectedOutput = 'Constructor_HelpText_'
+
+          $TestArgs = @{
+              OutputAssemblyDirectory = $InstallerAssemblyDir
+              OutputAssemblyFileName = $InstallerAssemblyFileName
+              InvocationMethod = '#{invocation_method}'
+              CommandLine = $CommandLine
+          }
+
+          $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs
+
+          if ($ActualOutput -ne $ExpectedOutput) {
+              throw @"
+          InstallUtil HelpText property execution test failure. Installer assembly execution output did not match the expected output.
+          Expected: $ExpectedOutput
+          Actual: $ActualOutput
+          "@
+          }
+        cleanup_command: |
+          $InstallerAssemblyDir = "#{assembly_dir}"
+          $InstallerAssemblyFileName = "#{assembly_filename}"
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          Remove-Item -Path $InstallerAssemblyFullPath
+    - name: InstallUtil evasive invocation
+      description: 'Executes an InstallUtil assembly by renaming InstallUtil.exe and
+        using a nonstandard extension for the assembly.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        test_harness:
+          description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly
+          type: Path
+          default: PathToAtomicsFolder\T1118\src\InstallUtilTestHarness.ps1
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          # Import the required test harness function, Invoke-BuildAndInvokeInstallUtilAssembly
+          . #{test_harness}
+
+          $InstallerAssemblyDir = "$Env:windir\System32\Tasks"
+          $InstallerAssemblyFileName = 'readme.txt'
+          $InstallerAssemblyFullPath = Join-Path -Path $InstallerAssemblyDir -ChildPath $InstallerAssemblyFileName
+
+          $CommandLine = "readme.txt"
+          $ExpectedOutput = 'Constructor_'
+
+          # Explicitly set the directory so that a relative path to readme.txt can be supplied.
+          Set-Location "$Env:windir\System32\Tasks"
+
+          Copy-Item -Path "$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())InstallUtil.exe" -Destination "$Env:windir\System32\Tasks\notepad.exe"
+
+          $TestArgs = @{
+              OutputAssemblyDirectory = $InstallerAssemblyDir
+              OutputAssemblyFileName = $InstallerAssemblyFileName
+              InvocationMethod = 'Executable'
+              CommandLine = $CommandLine
+              InstallUtilPath = "$Env:windir\System32\Tasks\notepad.exe"
+          }
+
+          $ActualOutput = Invoke-BuildAndInvokeInstallUtilAssembly @TestArgs -MinimumViableAssembly
+
+          if ($ActualOutput -ne $ExpectedOutput) {
+              throw @"
+          Evasive Installutil invocation test failure. Installer assembly execution output did not match the expected output.
+          Expected: $ExpectedOutput
+          Actual: $ActualOutput
+          "@
+          }
+        cleanup_command: |-
+          Remove-Item -Path "$Env:windir\System32\Tasks\readme.txt"
+          Remove-Item -Path "$Env:windir\System32\Tasks\readme.InstallLog"
+          Remove-Item -Path "$Env:windir\System32\Tasks\readme.InstallState"
+          Remove-Item -Path "$Env:windir\System32\Tasks\notepad.exe"
   T1152:
     technique:
       x_mitre_permissions_required:
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 217b401e..21cd0870 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -98,8 +98,14 @@
   - Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
 - [T1130 Install Root Certificate](./T1130/T1130.md)
 - [T1118 InstallUtil](./T1118/T1118.md)
-  - Atomic Test #1: InstallUtil uninstall method call [windows]
-  - Atomic Test #2: InstallUtil GetHelp method call [windows]
+  - Atomic Test #1: CheckIfInstallable method call [windows]
+  - Atomic Test #2: InstallHelper method call [windows]
+  - Atomic Test #3: InstallUtil class constructor method call [windows]
+  - Atomic Test #4: InstallUtil Install method call [windows]
+  - Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows]
+  - Atomic Test #6: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant [windows]
+  - Atomic Test #7: InstallUtil HelpText method call [windows]
+  - Atomic Test #8: InstallUtil evasive invocation [windows]
 - [T1036 Masquerading](./T1036/T1036.md)
   - Atomic Test #1: Masquerading as Windows LSASS process [windows]
   - Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows]
@@ -611,8 +617,14 @@
 - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1118 InstallUtil](./T1118/T1118.md)
-  - Atomic Test #1: InstallUtil uninstall method call [windows]
-  - Atomic Test #2: InstallUtil GetHelp method call [windows]
+  - Atomic Test #1: CheckIfInstallable method call [windows]
+  - Atomic Test #2: InstallHelper method call [windows]
+  - Atomic Test #3: InstallUtil class constructor method call [windows]
+  - Atomic Test #4: InstallUtil Install method call [windows]
+  - Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows]
+  - Atomic Test #6: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant [windows]
+  - Atomic Test #7: InstallUtil HelpText method call [windows]
+  - Atomic Test #8: InstallUtil evasive invocation [windows]
 - T1177 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1170 Mshta](./T1170/T1170.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]