New Test : Leverage Virtual Channels to execute custom DLL during suc…

…cessful RDP session (#2882)

* Update T1547.yaml

New Test Added : Leverage Virtual Channels to execute custom DLL during successful RDP session

* Update T1547.yaml

---------

Co-authored-by: Carrie Roberts <[email protected]>

atomics/T1547/T1547.yaml

@@ -16,7 +16,6 @@ atomic_tests:
     command: |
       pnputil.exe /add-driver "#{driver_inf}"
     name: command_prompt
-
 - name: Driver Installation Using pnputil.exe
   auto_generated_guid: 5cb0b071-8a5a-412f-839d-116beb2ed9f7
   description: |
@@ -32,3 +31,27 @@ atomic_tests:
     command: |
       pnputil.exe -i -a #{driver_path}
     name: powershell
+- name: Leverage Virtual Channels to execute custom DLL during successful RDP session
+  description: |
+    Virtual Channels can be leveraged to alter RDP behavior using dedicated Addins.The mechanism is implemented using DLLs which can be executed during RDP session automatically. 
+    The DLLs are loaded in the host system only after successful connection is established with the remote system.
+    Once the test is run, amsi.dll will be loaded on the host system during successful RDP session.
+    Blog :https://learn.microsoft.com/en-us/windows/win32/termserv/terminal-services-virtual-channels?redirectedfrom=MSDN
+  supported_platforms:
+  - windows
+  input_arguments:
+    Subkey_Added:
+      description: New Sub key added in the registry path
+      type: String
+      default: 'Malware'
+    dll_inf:
+      description: custom DLL to be executed
+      type: Path
+      default: 'C:\Windows\System32\amsi.dll'      
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default\Addins\#{Subkey_Added}" /v Name /t REG_SZ /d "#{dll_inf}" /f
+    cleanup_command: |-
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default\Addins\#{Subkey_Added}" /f      
+    name: command_prompt
+    elevation_required: true