Update T1574.001.yaml (#2898)

Phantom Dll Hijacking - ualapi.dll

Co-authored-by: Carrie Roberts <[email protected]>

atomics/T1574.001/T1574.001.yaml

@@ -42,3 +42,23 @@ atomic_tests:
       del %APPDATA%\WinAppXRT.dll
     name: command_prompt
     elevation_required: true    
+- name: Phantom Dll Hijacking - ualapi.dll
+  description: |
+    Re-starting the Print Spooler service leads to C:\Windows\System32\ualapi.dll being loaded
+    A malicious ualapi.dll placed in the System32 directory will lead to its execution whenever the system starts
+
+    Upon successful execution, amsi.dll will be copied and renamed to ualapi.dll and then ualapi.dll will be copied to system32 folder for loading during system restart.
+    Print Spooler service is also configured to auto start. Reboot of system is required
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
+      ren %APPDATA%\amsi.dll ualapi.dll
+      copy %APPDATA%\ualapi.dll %windir%\System32\ualapi.dll
+      sc config Spooler start=auto
+    cleanup_command: |
+      del %windir%\System32\ualapi.dll
+      del %APPDATA%\ualapi.dll
+    name: command_prompt
+    elevation_required: true