Impair Defenses: Downgrade Attack

Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, PowerShell versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to Impair Defenses while running malicious scripts that may have otherwise been detected.[1][2][3]

Adversaries may downgrade and use less-secure versions of various features of a system, such as Command and Scripting Interpreters or even network protocols that can be abused to enable Adversary-in-the-Middle.[4]

ID: T1562.010
Sub-technique of:  T1562
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Contributors: Daniel Feichter, @VirtualAllocEx, Infosec Tirol; Krishnan Subramanian, @krish203; Mayuresh Dani, Qualys; Vinay Pidathala
Version: 1.1
Created: 08 October 2021
Last Modified: 20 April 2022

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Consider removing previous versions of tools that are unnecessary to the environment when possible.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process Process Creation
Process Metadata

Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: powershell –v 2). Also monitor for other abnormal events, such as execution of and/or processes spawning from a version of a tool that is not expected in the environment.

Monitor for Windows event ID (EID) 400, specifically the EngineVersion field which shows the version of PowerShell running and may highlight a malicious downgrade attack.[5]

References