Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system’s backward compatibility to force it into less secure modes of operation.
Adversaries may downgrade and use various less-secure versions of features of a system, such as Command and Scripting Interpreters or even network protocols that can be abused to enable Adversary-in-the-Middle or Network Sniffing.(Citation: Praetorian TLS Downgrade Attack 2014) For example, PowerShell versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to Impair Defenses while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging)
Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.(Citation: Targeted SSL Stripping Attacks Are Real)(Citation: Crowdstrike Downgrade)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
---|---|---|---|---|
CM-07 | Least Functionality | Protects | T1562.010 | Downgrade Attack |
SI-07 | Software, Firmware, and Information Integrity | Protects | T1562.010 | Downgrade Attack |
SC-08 | Transmission Confidentiality and Integrity | Protects | T1562.010 | Downgrade Attack |
CM-02 | Baseline Configuration | Protects | T1562.010 | Downgrade Attack |
CM-06 | Configuration Settings | Protects | T1562.010 | Downgrade Attack |
RA-05 | Vulnerability Monitoring and Scanning | Protects | T1562.010 | Downgrade Attack |
SI-04 | System Monitoring | Protects | T1562.010 | Downgrade Attack |