Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system’s backward compatibility to force it into less secure modes of operation.
Adversaries may downgrade and use various less-secure versions of features of a system, such asCommand and Scripting Interpreters or even network protocols that can be abused to enableAdversary-in-the-Middle orNetwork Sniffing.[1] For example,PowerShell versions 5+ includes Script Block Logging (SBL), which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent toImpair Defenses while running malicious scripts that may have otherwise been detected.[2][3][4]
Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.[5][6] On Windows systems, adversaries may downgrade the boot manager to a vulnerable version that bypasses Secure Boot, granting the ability to disable various operating system security mechanisms.[7]
| ID | Name | Description |
|---|---|---|
| S1180 | BlackByte Ransomware | BlackByte Ransomware enables SMBv1 during execution.[8] |
| C0041 | FrostyGoop Incident | DuringFrostyGoop Incident, the adversary downgraded firmware on victim devices in order to impair visibility into the process environment.[9] |
| S0692 | SILENTTRINITY | SILENTTRINITY can downgrade NTLM to capture NTLM hashes.[10] |
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program | Consider removing previous versions of tools that are unnecessary to the environment when possible. |
| M1054 | Software Configuration | Consider implementing policies on internal web servers, such HTTP Strict Transport Security, that enforce the use of HTTPS/network traffic encryption to prevent insecure connections.[11] |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0350 | Detecting Downgrade Attacks | AN0995 | Detection of processes launching downgraded PowerShell versions (e.g., v2) or other legacy binaries that lack logging or security features. Correlates command-line arguments, process metadata, and version fields. Monitors registry changes to Defender or HVCI keys that could indicate intentional downgrades. |
| AN0996 | Monitors execution of older or legacy interpreters (e.g., python2, bash with restricted history logging), downgrade of TLS/SSL configurations, or forced fallback to unencrypted protocols. Detects suspicious reconfiguration of kernel modules or boot loaders to reduce integrity controls. | ||
| AN0997 | Detection of execution of legacy scripting runtimes (e.g., older versions of Python, Bash, or PowerShell Core) lacking auditing. Monitoring for changes to EFI or system boot files indicative of downgrade-based persistence or bypass of integrity features. |