T1086_AddAtomic_PowerShellDowngradeAttack (#578)

* Added MacOS and Linux isElevated check [toso: test MacOS]

* Update Invoke-AtomicTest.ps1

* Update Invoke-AtomicTest.ps1

* Update Invoke-AtomicTest.ps1

* T1076 RDP To Domain Controller

* T1086_PWSHDowngradeAttack

* T1086_PWSHDowngradeAttack

atomics/T1086/T1086.yaml

@@ -225,6 +225,21 @@ atomic_tests:
       reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggJyVTeXN0ZW1Sb290JS9UZW1wL2FydC1tYXJrZXIudHh0JyAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
       powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
 
+- name: PowerShell Downgrade Attack
+  description: |
+    Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
+ 
+  supported_platforms:
+    - windows 
+  
+  executor:
+    name: powershell
+    elevation_required: false
+    prereq_command: |
+      if(2 -in $PSVersionTable.PSCompatibleVersions.Major){0}else{1}
+    command: |
+      powershell.exe -version 2 -Command Write-Host $PSVersion
+
 - name: NTFS Alternate Data Stream Access
   description: |
     Creates a file with an alternate data stream and simulates executing that hidden code/file