1. Home
  2. Techniques
  3. Enterprise
  4. Impair Defenses
  5. Downgrade Attack

Impair Defenses: Downgrade Attack

ID Name
T1562.001 Disable or Modify Tools
T1562.002 Disable Windows Event Logging
T1562.003 Impair Command History Logging
T1562.004 Disable or Modify System Firewall
T1562.006 Indicator Blocking
T1562.007 Disable or Modify Cloud Firewall
T1562.008 Disable or Modify Cloud Logs
T1562.009 Safe Mode Boot
T1562.010 Downgrade Attack
T1562.011 Spoof Security Alerting
T1562.012 Disable or Modify Linux Audit System

Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system’s backward compatibility to force it into less secure modes of operation.

Adversaries may downgrade and use various less-secure versions of features of a system, such as Command and Scripting Interpreters or even network protocols that can be abused to enable Adversary-in-the-Middle or Network Sniffing.[1] For example, PowerShell versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to Impair Defenses while running malicious scripts that may have otherwise been detected.[2][3][4]

Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.[5][6]

ID: T1562.010
Sub-technique of:  T1562
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Contributors: Arad Inbar, Fidelis Security; Daniel Feichter, @VirtualAllocEx, Infosec Tirol; Mayuresh Dani, Qualys
Version: 1.2
Created: 08 October 2021
Last Modified: 03 October 2023
Version Permalink

Procedure Examples

ID Name Description
S0692 SILENTTRINITY

SILENTTRINITY can downgrade NTLM to capture NTLM hashes.[7]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Consider removing previous versions of tools that are unnecessary to the environment when possible.
M1054 Software Configuration

Consider implementing policies on internal web servers, such HTTP Strict Transport Security, that enforce the use of HTTPS/network traffic encryption to prevent insecure connections.[8]

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: powershell –v 2).
DS0009 Process Process Creation

Monitor newly executed processes that may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging.
Process Metadata

Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal use of a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, monitoring for Windows event ID (EID) 400, specifically the EngineVersion field which shows the version of PowerShell running, may highlight a malicious downgrade attack.[9]

References

  1. Praetorian. (2014, August 19). Man-in-the-Middle TLS Protocol Downgrade Attack. Retrieved October 8, 2021.
  2. Falcon Complete Team. (2021, May 11). Response When Minutes Matter: Rising Up Against Ransomware. Retrieved October 8, 2021.
  3. Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 8, 2021.
  4. Hao, M. (2019, February 27). Attack and Defense Around PowerShell Event Logging. Retrieved November 24, 2021.
  5. Check Point. (n.d.). Targeted SSL Stripping Attacks Are Real. Retrieved May 24, 2023.
  1. Bart Lenaerts-Bergman. (2023, March 14). WHAT ARE DOWNGRADE ATTACKS?. Retrieved May 24, 2023.
  2. byt3bl33d3r. (n.d.). SILENTTRINITY. Retrieved September 12, 2024.
  3. Chromium. (n.d.). HTTP Strict Transport Security. Retrieved May 24, 2023.
  4. Hastings, M. (2014, July 16). Investigating PowerShell Attacks. Retrieved December 1, 2021.