diff --git a/atomics/T1086/T1086.md b/atomics/T1086/T1086.md
index a9805517..b6f3b1c5 100644
--- a/atomics/T1086/T1086.md
+++ b/atomics/T1086/T1086.md
@@ -36,7 +36,9 @@ PowerShell commands/scripts can also be executed without directly invoking the p
- [Atomic Test #12 - PowerShell Fileless Script Execution](#atomic-test-12---powershell-fileless-script-execution)
-- [Atomic Test #13 - NTFS Alternate Data Stream Access](#atomic-test-13---ntfs-alternate-data-stream-access)
+- [Atomic Test #13 - PowerShell Downgrade Attack](#atomic-test-13---powershell-downgrade-attack)
+
+- [Atomic Test #14 - NTFS Alternate Data Stream Access](#atomic-test-14---ntfs-alternate-data-stream-access)
@@ -285,7 +287,27 @@ powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text
-## Atomic Test #13 - NTFS Alternate Data Stream Access
+## Atomic Test #13 - PowerShell Downgrade Attack
+Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`!
+```
+powershell.exe -version 2 -Command Write-Host $PSVersion
+```
+
+#### Commands to Check Prerequisites:
+```
+if(2 -in $PSVersionTable.PSCompatibleVersions.Major){0}else{1}
+```
+
+
+
+
+
+## Atomic Test #14 - NTFS Alternate Data Stream Access
Creates a file with an alternate data stream and simulates executing that hidden code/file
**Supported Platforms:** Windows
diff --git a/atomics/index.md b/atomics/index.md
index c6681c5c..294e9d4c 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -610,7 +610,8 @@
- Atomic Test #10: Powershell invoke mshta.exe download [windows]
- Atomic Test #11: Powershell Invoke-DownloadCradle [windows]
- Atomic Test #12: PowerShell Fileless Script Execution [windows]
- - Atomic Test #13: NTFS Alternate Data Stream Access [windows]
+ - Atomic Test #13: PowerShell Downgrade Attack [windows]
+ - Atomic Test #14: NTFS Alternate Data Stream Access [windows]
- [T1121 Regsvcs/Regasm](./T1121/T1121.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
- Atomic Test #2: Regsvs Uninstall Method Call Test [windows]
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 6772d59c..79e1b105 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -17831,6 +17831,21 @@ execution:
command: |
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggJyVTeXN0ZW1Sb290JS9UZW1wL2FydC1tYXJrZXIudHh0JyAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
+ - name: PowerShell Downgrade Attack
+ description: 'Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
+
+'
+ supported_platforms:
+ - windows
+ executor:
+ name: powershell
+ elevation_required: false
+ prereq_command: 'if(2 -in $PSVersionTable.PSCompatibleVersions.Major){0}else{1}
+
+'
+ command: 'powershell.exe -version 2 -Command Write-Host $PSVersion
+
+'
- name: NTFS Alternate Data Stream Access
description: 'Creates a file with an alternate data stream and simulates executing
that hidden code/file
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 42b06387..108955e9 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -495,7 +495,8 @@
- Atomic Test #10: Powershell invoke mshta.exe download [windows]
- Atomic Test #11: Powershell Invoke-DownloadCradle [windows]
- Atomic Test #12: PowerShell Fileless Script Execution [windows]
- - Atomic Test #13: NTFS Alternate Data Stream Access [windows]
+ - Atomic Test #13: PowerShell Downgrade Attack [windows]
+ - Atomic Test #14: NTFS Alternate Data Stream Access [windows]
- [T1121 Regsvcs/Regasm](./T1121/T1121.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
- Atomic Test #2: Regsvs Uninstall Method Call Test [windows]