T1562.010 Downgrade Attack
Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, PowerShell versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to Impair Defenses while running malicious scripts that may have otherwise been detected.142
Adversaries may downgrade and use less-secure versions of various features of a system, such as Command and Scripting Interpreters or even network protocols that can be abused to enable Adversary-in-the-Middle.5
| Item | Value |
|---|---|
| ID | T1562.010 |
| Sub-techniques | T1562.001, T1562.002, T1562.003, T1562.004, T1562.006, T1562.007, T1562.008, T1562.009, T1562.010, T1562.011 |
| Tactics | TA0005 |
| Platforms | Linux, Windows, macOS |
| Version | 1.1 |
| Created | 08 October 2021 |
| Last Modified | 19 May 2022 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program | Consider removing previous versions of tools that are unnecessary to the environment when possible. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0009 | Process | Process Creation |
References
-
Falcon Complete Team. (2021, May 11). Response When Minutes Matter: Rising Up Against Ransomware. Retrieved October 8, 2021. ↩
-
Hao, M. (2019, February 27). Attack and Defense Around PowerShell Event Logging. Retrieved November 24, 2021. ↩
-
Hastings, M. (2014, July 16). Investigating PowerShell Attacks. Retrieved December 1, 2021. ↩
-
Kirk, N. (2018, June 18). Bring Your Own Land (BYOL) – A Novel Red Teaming Technique. Retrieved October 8, 2021. ↩
-
Praetorian. (2014, August 19). Man-in-the-Middle TLS Protocol Downgrade Attack. Retrieved October 8, 2021. ↩