Update T1219.yaml (#2763)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

atomics/T1219/T1219.yaml

@@ -281,3 +281,33 @@ atomic_tests:
       $file = Join-Path $env:USERPROFILE "Desktop\rustdesk-1.2.3-1-x86_64.exe"
       Remove-Item $file1 -ErrorAction Ignore
     name: powershell
+- name: Splashtop Execution
+  description: |
+    An adversary may attempt to trick the user into downloading Splashtop for use as a C2 channel.
+    Upon successful execution, Splashtop will be executed.
+  supported_platforms:
+  - windows
+  input_arguments:
+    Splashtop_Path:
+      description: Path of Splashtop executable
+      type: path
+      default: '${env:programfiles(x86)}\Splashtop\Splashtop Remote\Client for STP\strwinclt.exe'
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Splashtop must exist at "#{Splashtop_Path}"
+    prereq_command: |
+      if (Test-Path "#{Splashtop_Path}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\splashtop_install.exe" "https://download.splashtop.com/winclient/STP/Splashtop_Personal_Win_v3.6.6.0.exe"
+      start-sleep 30
+      start-process "PathToAtomicsFolder\..\ExternalPayloads\splashtop_install.exe" /S  
+      start-sleep 30      
+  executor:
+    command: |
+      Start-Process "#{Splashtop_Path}"
+    cleanup_command: |
+      Stop-Process -Name "strwinclt" -force -erroraction silentlycontinue
+    name: powershell
+    elevation_required: true