|T1562.001||Disable or Modify Tools|
|T1562.002||Disable Windows Event Logging|
|T1562.003||Impair Command History Logging|
|T1562.004||Disable or Modify System Firewall|
|T1562.007||Disable or Modify Cloud Firewall|
|T1562.008||Disable Cloud Logs|
|T1562.009||Safe Mode Boot|
Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, PowerShell versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to Impair Defenses while running malicious scripts that may have otherwise been detected.
Adversaries may downgrade and use less-secure versions of various features of a system, such as Command and Scripting Interpreters or even network protocols that can be abused to enable Adversary-in-the-Middle.
|M1042||Disable or Remove Feature or Program||
Consider removing previous versions of tools that are unnecessary to the environment when possible.
|ID||Data Source||Data Component||Detects|
Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex:
Monitor newly executed processes that may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging.
Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal use of a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, monitoring for Windows event ID (EID) 400, specifically the