T1562.010: Downgrade Attack

Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system’s backward compatibility to force it into less secure modes of operation.

Adversaries may downgrade and use various less-secure versions of features of a system, such as Command and Scripting Interpreters or even network protocols that can be abused to enable Adversary-in-the-Middle or Network Sniffing. For example, PowerShell versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to Impair Defenses while running malicious scripts that may have otherwise been detected.

Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

pt_application_firewall: PT-CR-636: PTAF_Old_Or_Unknown_HTTP_Version: An attempt to connect via an outdated protocol mitre_attck_execution: PT-CR-945: Subrule_PowerShell_CLM_Bypass_4104: An attempt to bypass PowerShell Constrained Language was detected based on PowerShell script block logging events mitre_attck_execution: PT-CR-944: Subrule_PowerShell_CLM_Bypass_4103: An attempt to bypass PowerShell Constrained Language was detected based on PowerShell module logging events mitre_attck_defense_evasion: PT-CR-942: Subrule_CSC_Start_And_File_Create: Starting a csc.exe process with a parent powershell.exe process and creating a library by a process is detected mitre_attck_defense_evasion: PT-CR-930: AMSI_Bypass_Via_Powershell: AMSI bypass method use is detected mitre_attck_defense_evasion: PT-CR-938: PowerShell_CLM_Bypass: An attempt to bypass PowerShell Constrained Language mitre_attck_defense_evasion: PT-CR-2558: NTLM_Downgrade: Registry keys responsible for the version of the NTLM authentication protocol were modified. This may indicate an NTLM Downgrade attack in which an attacker downgrades the protocol version to weaken the protection of the data being transmitted. vk_cloud: PT-CR-2296: VK_Cloud_Image_From_Marketplace_Creation: A user created or used an image from Marketplace to create a virtual machine, which may indicate an attacker's attempt to use an image version containing vulnerabilities active_directory_attacks: PT-CR-1203: Abuse_Kerberos_RC4: Possible exploitation of the CVE-2022-33679 vulnerability in Kerberos, which will allow attackers to obtain an authenticated session on behalf of the victim and execute arbitrary code on a compromised node. This may allow an attacker to extract the credentials of other users and move horizontally to other infrastructure nodes hacking_tools: PT-CR-757: Internal_Monologue_Attack: A NetNTLM downgrade attack using Internal Monologue is detected

ID	Data source and component	Description
DS0009	Process: Process Metadata	Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal use of a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, monitoring for Windows event ID (EID) 400, specifically the `EngineVersion` field which shows the version of PowerShell running, may highlight a malicious downgrade attack.
DS0017	Command: Command Execution	Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: `powershell –v 2`).
DS0009	Process: Process Creation	Monitor newly executed processes that may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging.

Data source and component

Description

DS0009

Process: Process Metadata

Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal use of a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, monitoring for Windows event ID (EID) 400, specifically the EngineVersion field which shows the version of PowerShell running, may highlight a malicious downgrade attack.

DS0017

Command: Command Execution

Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: powershell –v 2).

DS0009

Process: Process Creation

Monitor newly executed processes that may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging.

ID	Name	Description
M1042	Disable or Remove Feature or Program	Consider removing previous versions of tools that are unnecessary to the environment when possible.
M1054	Software Configuration	Consider implementing policies on internal web servers, such HTTP Strict Transport Security, that enforce the use of HTTPS/network traffic encryption to prevent insecure connections.

Name

Description

M1042

Disable or Remove Feature or Program

Consider removing previous versions of tools that are unnecessary to the environment when possible.

M1054

Software Configuration

Consider implementing policies on internal web servers, such HTTP Strict Transport Security, that enforce the use of HTTPS/network traffic encryption to prevent insecure connections.

T1562.010: Downgrade Attack

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

Detection

Mitigation