T1601.002 Downgrade System Image Mappings

Adversaries may install an older version of the operating system of a network device to weaken security. Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. (Citation: Cisco Synful Knock Evolution)

On embedded devices, downgrading the version typically only requires replacing the operating system file in storage. With most embedded devices, this can be achieved by downloading a copy of the desired version of the operating system file and reconfiguring the device to boot from that file on next system restart. The adversary could then restart the device to implement the change immediately or they could wait until the next time the system restarts.

Downgrading the system image to an older versions may allow an adversary to evade defenses by enabling behaviors such as Weaken Encryption. Downgrading of a system image can be done on its own, or it can be used in conjunction with Patch System Image.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1601.002 Downgrade System Image
AC-3 Access Enforcement Protects T1601.002 Downgrade System Image
AC-4 Information Flow Enforcement Protects T1601.002 Downgrade System Image
AC-5 Separation of Duties Protects T1601.002 Downgrade System Image
AC-6 Least Privilege Protects T1601.002 Downgrade System Image
CA-8 Penetration Testing Protects T1601.002 Downgrade System Image
CM-2 Baseline Configuration Protects T1601.002 Downgrade System Image
CM-3 Configuration Change Control Protects T1601.002 Downgrade System Image
CM-5 Access Restrictions for Change Protects T1601.002 Downgrade System Image
CM-6 Configuration Settings Protects T1601.002 Downgrade System Image
CM-7 Least Functionality Protects T1601.002 Downgrade System Image
CM-8 System Component Inventory Protects T1601.002 Downgrade System Image
IA-2 Identification and Authentication (organizational Users) Protects T1601.002 Downgrade System Image
IA-5 Authenticator Management Protects T1601.002 Downgrade System Image
IA-7 Cryptographic Module Authentication Protects T1601.002 Downgrade System Image
RA-9 Criticality Analysis Protects T1601.002 Downgrade System Image
SA-10 Developer Configuration Management Protects T1601.002 Downgrade System Image
SA-11 Developer Testing and Evaluation Protects T1601.002 Downgrade System Image
SC-34 Non-modifiable Executable Programs Protects T1601.002 Downgrade System Image
SI-2 Flaw Remediation Protects T1601.002 Downgrade System Image
SI-4 System Monitoring Protects T1601.002 Downgrade System Image
SI-7 Software, Firmware, and Information Integrity Protects T1601.002 Downgrade System Image
SR-11 Component Authenticity Protects T1601.002 Downgrade System Image
SR-4 Provenance Protects T1601.002 Downgrade System Image
SR-5 Acquisition Strategies, Tools, and Methods Protects T1601.002 Downgrade System Image
SR-6 Supplier Assessments and Reviews Protects T1601.002 Downgrade System Image
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1601.002 Modify System Image: Downgrade System Image