Generate docs from job=validate_atomics_generate_docs branch=master

2019-10-21 20:59:21 +00:00
parent fe8442876b
commit edcb544e79
4 changed files with 43 additions and 4 deletions
@@ -36,7 +36,9 @@ PowerShell commands/scripts can also be executed without directly invoking the p

 - [Atomic Test #12 - PowerShell Fileless Script Execution](#atomic-test-12---powershell-fileless-script-execution)

- [Atomic Test #13 - NTFS Alternate Data Stream Access](#atomic-test-13---ntfs-alternate-data-stream-access)
+- [Atomic Test #13 - PowerShell Downgrade Attack](#atomic-test-13---powershell-downgrade-attack)
+
+- [Atomic Test #14 - NTFS Alternate Data Stream Access](#atomic-test-14---ntfs-alternate-data-stream-access)


 <br/>
@@ -285,7 +287,27 @@ powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text
 <br/>
 <br/>

-## Atomic Test #13 - NTFS Alternate Data Stream Access
+## Atomic Test #13 - PowerShell Downgrade Attack
+Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`! 
+```
+powershell.exe -version 2 -Command Write-Host $PSVersion
+```
+
+#### Commands to Check Prerequisites:
+```
+if(2 -in $PSVersionTable.PSCompatibleVersions.Major){0}else{1}
+```
+
+
+<br/>
+<br/>
+
+## Atomic Test #14 - NTFS Alternate Data Stream Access
 Creates a file with an alternate data stream and simulates executing that hidden code/file

 **Supported Platforms:** Windows
@@ -610,7 +610,8 @@
  - Atomic Test #10: Powershell invoke mshta.exe download [windows]
  - Atomic Test #11: Powershell Invoke-DownloadCradle [windows]
  - Atomic Test #12: PowerShell Fileless Script Execution [windows]
-  - Atomic Test #13: NTFS Alternate Data Stream Access [windows]
+  - Atomic Test #13: PowerShell Downgrade Attack [windows]
+  - Atomic Test #14: NTFS Alternate Data Stream Access [windows]
 - [T1121 Regsvcs/Regasm](./T1121/T1121.md)
  - Atomic Test #1: Regasm Uninstall Method Call Test [windows]
  - Atomic Test #2: Regsvs Uninstall Method Call Test [windows]
@@ -17831,6 +17831,21 @@ execution:
        command: |
          reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggJyVTeXN0ZW1Sb290JS9UZW1wL2FydC1tYXJrZXIudHh0JyAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
          powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
+    - name: PowerShell Downgrade Attack
+      description: 'Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        prereq_command: 'if(2 -in $PSVersionTable.PSCompatibleVersions.Major){0}else{1}
+
+'
+        command: 'powershell.exe -version 2 -Command Write-Host $PSVersion
+
+'
    - name: NTFS Alternate Data Stream Access
      description: 'Creates a file with an alternate data stream and simulates executing
        that hidden code/file
@@ -495,7 +495,8 @@
  - Atomic Test #10: Powershell invoke mshta.exe download [windows]
  - Atomic Test #11: Powershell Invoke-DownloadCradle [windows]
  - Atomic Test #12: PowerShell Fileless Script Execution [windows]
-  - Atomic Test #13: NTFS Alternate Data Stream Access [windows]
+  - Atomic Test #13: PowerShell Downgrade Attack [windows]
+  - Atomic Test #14: NTFS Alternate Data Stream Access [windows]
 - [T1121 Regsvcs/Regasm](./T1121/T1121.md)
  - Atomic Test #1: Regasm Uninstall Method Call Test [windows]
  - Atomic Test #2: Regsvs Uninstall Method Call Test [windows]