From fe8442876b1839c45e05217ddda0c82e2c4fdbc0 Mon Sep 17 00:00:00 2001
From: Andras32 <harrell.laken@gmail.com>
Date: Mon, 21 Oct 2019 15:58:55 -0500
Subject: [PATCH] T1086_AddAtomic_PowerShellDowngradeAttack (#578)

* Added MacOS and Linux isElevated check [toso: test MacOS]

* Update Invoke-AtomicTest.ps1

* Update Invoke-AtomicTest.ps1

* Update Invoke-AtomicTest.ps1

* T1076 RDP To Domain Controller

* T1086_PWSHDowngradeAttack

* T1086_PWSHDowngradeAttack
---
 atomics/T1086/T1086.yaml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/atomics/T1086/T1086.yaml b/atomics/T1086/T1086.yaml
index 2c095fa9..3e70fc53 100644
--- a/atomics/T1086/T1086.yaml
+++ b/atomics/T1086/T1086.yaml
@@ -225,6 +225,21 @@ atomic_tests:
       reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggJyVTeXN0ZW1Sb290JS9UZW1wL2FydC1tYXJrZXIudHh0JyAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
       powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
 
+- name: PowerShell Downgrade Attack
+  description: |
+    Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
+ 
+  supported_platforms:
+    - windows 
+  
+  executor:
+    name: powershell
+    elevation_required: false
+    prereq_command: |
+      if(2 -in $PSVersionTable.PSCompatibleVersions.Major){0}else{1}
+    command: |
+      powershell.exe -version 2 -Command Write-Host $PSVersion
+
 - name: NTFS Alternate Data Stream Access
   description: |
     Creates a file with an alternate data stream and simulates executing that hidden code/file