Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system’s backward compatibility to force it into less secure modes of operation.
Adversaries may downgrade and use various less-secure versions of features of a system, such as Command and Scripting Interpreters or even network protocols that can be abused to enable Adversary-in-the-Middle or Network Sniffing.(Citation: Praetorian TLS Downgrade Attack 2014) For example, PowerShell versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to Impair Defenses while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging)
Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.(Citation: Targeted SSL Stripping Attacks Are Real)(Citation: Crowdstrike Downgrade)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1562.010 | Downgrade Attack |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-01.02 | Least functionality | Mitigates | T1562.010 | Downgrade Attack |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1562.010 | Downgrade Attack |
Comments
This diagnostic statement provides protection from Impair Defenses: Downgrade Attack through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1562.010 | Downgrade Attack | |
| RA-05 | Vulnerability Monitoring and Scanning | mitigates | T1562.010 | Downgrade Attack | |
| SC-08 | Transmission Confidentiality and Integrity | mitigates | T1562.010 | Downgrade Attack | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1562.010 | Downgrade Attack | |
| CM-02 | Baseline Configuration | mitigates | T1562.010 | Downgrade Attack | |
| CM-07 | Least Functionality | mitigates | T1562.010 | Downgrade Attack | |
| SI-04 | System Monitoring | mitigates | T1562.010 | Downgrade Attack |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | technique_scores | T1562.010 | Downgrade Attack |
Comments
This control may prevent downgrade attacks by enforcing use of HTTPS protocol.
References
|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1562.010 | Downgrade Attack |
Comments
This control may detect executed commands indicative of indicative of attempts to abuse older or deprecated technologies (ex: powershell –v 2).
References
|