Update T1574.001.yaml (#2877)

New test Added : Phantom Dll Hijacking - WinAppXRT.dll

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

atomics/T1574.001/T1574.001.yaml

@@ -19,4 +19,25 @@ atomic_tests:
       del %APPDATA%\updater.exe >nul 2>&1
       del %APPDATA%\amsi.dll >nul 2>&1
     name: command_prompt
-    elevation_required: true
+    elevation_required: true
+- name: Phantom Dll Hijacking - WinAppXRT.dll
+  description: |
+    .NET components (a couple of DLLs loaded anytime .NET apps are executed) when they are loaded they look for an environment variable called APPX_PROCESS
+    Setting the environmental variable and dropping the phantom WinAppXRT.dll in e.g. c:\windows\system32 (or any other location accessible via PATH) will ensure the 
+    WinAppXRT.dll is loaded everytime user launches an application using .NET.
+
+    Upon successful execution, amsi.dll will be copied and renamed to WinAppXRT.dll and then WinAppXRT.dll will be copied to system32 folder for loading during execution of any .NET application.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
+      ren %APPDATA%\amsi.dll WinAppXRT.dll
+      copy %APPDATA%\WinAppXRT.dll %windir%\System32\WinAppXRT.dll
+      reg add "HKEY_CURRENT_USER\Environment" /v APPX_PROCESS /t REG_EXPAND_SZ /d "1" /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Environment" /v APPX_PROCESS /f
+      del %windir%\System32\WinAppXRT.dll
+      del %APPDATA%\WinAppXRT.dll
+    name: command_prompt
+    elevation_required: true