Address failing Atomic Red Team Tests

[ION28]

[copied from Discord]

T1562.004 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md --> our hunt looks for some registry configurations in the fw that an attacker could use. our hunt is not yet robust enough to be able to properly analyze fw configuration (which is some stuff ART looks for). Probably a decent amount of work to pass this test

T1547.005 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md ---> should be an easyish one to fix. Need to correct the arg of the SSP dll to point to an actual DLL on disk (just use a DLL from another ART test). right now the value ART test adds doesn't reference a real file so it's going to fail. Might need to add a copy command to put this dll into system32

T1546.015 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md ---> ART looks for very specific COM hijack that we currently don't support. 3rd tests sets a process scoped env variable which might be hard to catch currently, but first two tests should be easy

T1546.012 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md ---> NEED TO INVESTIGATE THIS ONE, we should have code that catches this already in there

T1546.011 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md ---> failing 1/3 tests it seems, might be due to it not creating a duplication detection object

T1136.001 - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md ----> current code relies on event logs for user creation and this doesn't always work well