From edcb544e79dc1ade1f4e69586e65e4fbc3ea56b6 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Mon, 21 Oct 2019 20:59:21 +0000
Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/T1086/T1086.md   | 26 ++++++++++++++++++++++++--
 atomics/index.md         |  3 ++-
 atomics/index.yaml       | 15 +++++++++++++++
 atomics/windows-index.md |  3 ++-
 4 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/atomics/T1086/T1086.md b/atomics/T1086/T1086.md
index a9805517..b6f3b1c5 100644
--- a/atomics/T1086/T1086.md
+++ b/atomics/T1086/T1086.md
@@ -36,7 +36,9 @@ PowerShell commands/scripts can also be executed without directly invoking the p
 
 - [Atomic Test #12 - PowerShell Fileless Script Execution](#atomic-test-12---powershell-fileless-script-execution)
 
-- [Atomic Test #13 - NTFS Alternate Data Stream Access](#atomic-test-13---ntfs-alternate-data-stream-access)
+- [Atomic Test #13 - PowerShell Downgrade Attack](#atomic-test-13---powershell-downgrade-attack)
+
+- [Atomic Test #14 - NTFS Alternate Data Stream Access](#atomic-test-14---ntfs-alternate-data-stream-access)
 
 
 <br/>
@@ -285,7 +287,27 @@ powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text
 <br/>
 <br/>
 
-## Atomic Test #13 - NTFS Alternate Data Stream Access
+## Atomic Test #13 - PowerShell Downgrade Attack
+Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`! 
+```
+powershell.exe -version 2 -Command Write-Host $PSVersion
+```
+
+#### Commands to Check Prerequisites:
+```
+if(2 -in $PSVersionTable.PSCompatibleVersions.Major){0}else{1}
+```
+
+
+<br/>
+<br/>
+
+## Atomic Test #14 - NTFS Alternate Data Stream Access
 Creates a file with an alternate data stream and simulates executing that hidden code/file
 
 **Supported Platforms:** Windows
diff --git a/atomics/index.md b/atomics/index.md
index c6681c5c..294e9d4c 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -610,7 +610,8 @@
   - Atomic Test #10: Powershell invoke mshta.exe download [windows]
   - Atomic Test #11: Powershell Invoke-DownloadCradle [windows]
   - Atomic Test #12: PowerShell Fileless Script Execution [windows]
-  - Atomic Test #13: NTFS Alternate Data Stream Access [windows]
+  - Atomic Test #13: PowerShell Downgrade Attack [windows]
+  - Atomic Test #14: NTFS Alternate Data Stream Access [windows]
 - [T1121 Regsvcs/Regasm](./T1121/T1121.md)
   - Atomic Test #1: Regasm Uninstall Method Call Test [windows]
   - Atomic Test #2: Regsvs Uninstall Method Call Test [windows]
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 6772d59c..79e1b105 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -17831,6 +17831,21 @@ execution:
         command: |
           reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggJyVTeXN0ZW1Sb290JS9UZW1wL2FydC1tYXJrZXIudHh0JyAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
           powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
+    - name: PowerShell Downgrade Attack
+      description: 'Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        prereq_command: 'if(2 -in $PSVersionTable.PSCompatibleVersions.Major){0}else{1}
+
+'
+        command: 'powershell.exe -version 2 -Command Write-Host $PSVersion
+
+'
     - name: NTFS Alternate Data Stream Access
       description: 'Creates a file with an alternate data stream and simulates executing
         that hidden code/file
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 42b06387..108955e9 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -495,7 +495,8 @@
   - Atomic Test #10: Powershell invoke mshta.exe download [windows]
   - Atomic Test #11: Powershell Invoke-DownloadCradle [windows]
   - Atomic Test #12: PowerShell Fileless Script Execution [windows]
-  - Atomic Test #13: NTFS Alternate Data Stream Access [windows]
+  - Atomic Test #13: PowerShell Downgrade Attack [windows]
+  - Atomic Test #14: NTFS Alternate Data Stream Access [windows]
 - [T1121 Regsvcs/Regasm](./T1121/T1121.md)
   - Atomic Test #1: Regasm Uninstall Method Call Test [windows]
   - Atomic Test #2: Regsvs Uninstall Method Call Test [windows]