T1562.010 Downgrade Attack Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let OldPowerShellVersions = dynamic(["powershell", "-version", "-Version"]);
let SMBv1Patterns = dynamic(["SMB1Protocol", "SMB1", "\\LANMANSERVER"]);
union
(
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where FileName in~ ("powershell.exe", "pwsh.exe")
  | where ProcessCommandLine has "-version" and ProcessCommandLine has_any ("2", "1")
  | extend DowngradedVersion = extract(@"-[Vv]ersion\s+(\d+)", 1, ProcessCommandLine)
  | where DowngradedVersion in ("1", "2")
  | project Timestamp, DeviceName, AccountName, FileName,
           ProcessCommandLine, InitiatingProcessFileName,
           InitiatingProcessCommandLine, DowngradedVersion,
           DetectionType="PowerShell_Downgrade"
),
(
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where ProcessCommandLine has_any ("Enable-WindowsOptionalFeature", "Set-SmbServerConfiguration", "sc config")
  | where ProcessCommandLine has_any ("SMB1Protocol", "SMB1", "lanmanworkstation", "mrxsmb10")
  | project Timestamp, DeviceName, AccountName, FileName,
           ProcessCommandLine, InitiatingProcessFileName,
           InitiatingProcessCommandLine,
           DetectionType="SMBv1_Enable"
),
(
  DeviceRegistryEvents
  | where Timestamp > ago(24h)
  | where RegistryKey has "LANMANSERVER\\Parameters"
  | where RegistryValueName == "SMB1"
  | where RegistryValueData == "1"
  | project Timestamp, DeviceName, AccountName,
           RegistryKey, RegistryValueName, RegistryValueData,
           InitiatingProcessFileName, InitiatingProcessCommandLine,
           DetectionType="SMBv1_Registry"
),
(
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where FileName =~ "bcdedit.exe"
  | where ProcessCommandLine has_any ("bootmgr", "winload", "path", "loadoptions")
  | where ProcessCommandLine has_any ("downgrade", "rollback", "old", "testsigning")
  | project Timestamp, DeviceName, AccountName, FileName,
           ProcessCommandLine, InitiatingProcessFileName,
           InitiatingProcessCommandLine,
           DetectionType="SecureBoot_Downgrade"
)
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Windows Registry: Windows Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents

False Positives

Legacy application compatibility testing that requires PowerShell v2 — some older SCCM scripts or compliance tools explicitly invoke PowerShell v2 for backward compatibility
IT administrators enabling SMBv1 temporarily to support legacy network printers, scanners, or NAS devices that do not support SMBv2+
Windows feature management scripts that enumerate optional features including SMB1Protocol as part of a configuration audit without actually enabling it
Development and QA teams testing application behavior across different protocol versions in isolated lab environments

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  ((Image="*\\powershell.exe" OR Image="*\\pwsh.exe") AND (CommandLine="*-version 2*" OR CommandLine="*-Version 2*" OR CommandLine="*-version 1*" OR CommandLine="*-Version 1*"))
  OR
  ((CommandLine="*SMB1Protocol*" OR CommandLine="*SMB1*" OR CommandLine="*mrxsmb10*") AND (CommandLine="*Enable-WindowsOptionalFeature*" OR CommandLine="*Set-SmbServerConfiguration*" OR CommandLine="*sc config*"))
| eval CommandLine=lower(CommandLine)
| eval PSDowngrade=if(match(CommandLine, "powershell.*-version\s+[12]"), 1, 0)
| eval SMBv1Enable=if(match(CommandLine, "(smb1protocol|smb1|mrxsmb10)"), 1, 0)
| eval DetectionType=case(
  PSDowngrade=1, "PowerShell_Downgrade",
  SMBv1Enable=1, "SMBv1_Enable",
  1=1, "Other_Downgrade"
)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionType, PSDowngrade, SMBv1Enable
| sort - _time
| append [
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
    TargetObject="*LANMANSERVER\\Parameters*" Details="DWORD (0x00000001)"
    TargetObject="*SMB1*"
  | eval DetectionType="SMBv1_Registry"
  | table _time, host, User, Image, TargetObject, Details, DetectionType
  | sort - _time
]

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Windows Registry: Windows Registry Key Modification Sysmon Event ID 1 Sysmon Event ID 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legacy application compatibility testing that requires PowerShell v2 for older SCCM or compliance scripts
IT administrators enabling SMBv1 temporarily to support legacy network devices (printers, scanners, NAS)
Configuration audit scripts that enumerate Windows optional features including SMB1Protocol
Development teams testing protocol downgrade scenarios in isolated lab environments

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
[
  any where (
    (
      event.category == "process" and
      process.name in~ ("powershell.exe", "pwsh.exe") and
      process.args : ("-version", "-Version") and
      process.command_line : ("*-version 2*", "*-Version 2*", "*-version 1*", "*-Version 1*")
    ) or
    (
      event.category == "process" and
      process.command_line : ("*SMB1Protocol*", "*SMB1*", "*mrxsmb10*") and
      process.command_line : ("*Enable-WindowsOptionalFeature*", "*Set-SmbServerConfiguration*", "*sc config*")
    ) or
    (
      event.category == "process" and
      process.name =~ "bcdedit.exe" and
      process.command_line : ("*bootmgr*", "*winload*") and
      process.command_line : ("*testsigning*", "*downgrade*", "*rollback*")
    ) or
    (
      event.category == "registry" and
      registry.path : "*LANMANSERVER\\Parameters*" and
      registry.value == "SMB1" and
      registry.data.strings : ("1", "0x00000001")
    )
  )
] by host.name

high severity high confidence

Data Sources

Endpoint Windows Event Logs Sysmon

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.registry-* logs-windows.sysmon_operational-*

False Positives

Legacy application compatibility testing by IT teams explicitly running PowerShell v2 for validation purposes
System administrators enabling SMBv1 for legacy device support in environments with older NAS devices or printers that require it
Security researchers or red team operators conducting authorized downgrade testing in lab environments

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "QIDNAME"(qid) AS event_name,
  LOGSOURCENAME(logsourceid) AS log_source,
  CATEGORYNAME(category) AS category_name,
  "UTF8"(payload) AS raw_payload,
  CASE
    WHEN LOWER("UTF8"(payload)) LIKE '%powershell%' AND LOWER("UTF8"(payload)) LIKE '%-version%' AND (LOWER("UTF8"(payload)) LIKE '%version 2%' OR LOWER("UTF8"(payload)) LIKE '%version 1%')
      THEN 'PowerShell_Downgrade'
    WHEN (LOWER("UTF8"(payload)) LIKE '%smb1protocol%' OR LOWER("UTF8"(payload)) LIKE '%mrxsmb10%')
      AND (LOWER("UTF8"(payload)) LIKE '%enable-windowsoptionalfeature%' OR LOWER("UTF8"(payload)) LIKE '%set-smbserverconfiguration%' OR LOWER("UTF8"(payload)) LIKE '%sc config%')
      THEN 'SMBv1_Enable'
    WHEN LOWER("UTF8"(payload)) LIKE '%lanmanserver%parameters%' AND LOWER("UTF8"(payload)) LIKE '%smb1%'
      THEN 'SMBv1_Registry'
    WHEN LOWER("UTF8"(payload)) LIKE '%bcdedit%' AND (LOWER("UTF8"(payload)) LIKE '%testsigning%' OR LOWER("UTF8"(payload)) LIKE '%bootmgr%')
      THEN 'SecureBoot_Downgrade'
    ELSE 'Unknown_Downgrade'
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 268) -- Windows Security, Sysmon, Defender
  AND starttime > NOW() - 1 DAYS
  AND (
    (LOWER("UTF8"(payload)) LIKE '%powershell.exe%' AND LOWER("UTF8"(payload)) LIKE '%-version 2%')
    OR (LOWER("UTF8"(payload)) LIKE '%powershell.exe%' AND LOWER("UTF8"(payload)) LIKE '%-version 1%')
    OR (
      (LOWER("UTF8"(payload)) LIKE '%smb1protocol%' OR LOWER("UTF8"(payload)) LIKE '%mrxsmb10%')
      AND (LOWER("UTF8"(payload)) LIKE '%enable-windowsoptionalfeature%' OR LOWER("UTF8"(payload)) LIKE '%set-smbserverconfiguration%')
    )
    OR (LOWER("UTF8"(payload)) LIKE '%lanmanserver\\parameters%' AND LOWER("UTF8"(payload)) LIKE '%smb1%' AND LOWER("UTF8"(payload)) LIKE '%0x00000001%')
    OR (LOWER("UTF8"(payload)) LIKE '%bcdedit.exe%' AND LOWER("UTF8"(payload)) LIKE '%testsigning%')
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Windows Security Events Sysmon Microsoft Defender for Endpoint

Required Tables

events

False Positives

IT automation scripts that configure SMBv1 for backward compatibility in mixed-OS environments with legacy network equipment
PowerShell compatibility testing scripts that invoke older engine versions as part of application regression testing
Boot configuration changes made during Windows feature updates or recovery operations by system administrators

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| parse "EventCode=*" as event_code nodrop
| parse "Image=*" as process_image nodrop
| parse "CommandLine=*" as command_line nodrop
| parse "ParentImage=*" as parent_image nodrop
| parse "TargetObject=*" as registry_target nodrop
| parse "Details=*" as registry_details nodrop
| parse "User=*" as username nodrop
| where event_code in ("1", "13", "4688")
| where (
    (toLowerCase(process_image) matches "*\\powershell.exe" OR toLowerCase(process_image) matches "*\\pwsh.exe")
    AND (toLowerCase(command_line) matches "*-version 2*" OR toLowerCase(command_line) matches "*-version 1*")
  )
  OR (
    (toLowerCase(command_line) matches "*smb1protocol*" OR toLowerCase(command_line) matches "*mrxsmb10*")
    AND (toLowerCase(command_line) matches "*enable-windowsoptionalfeature*" OR toLowerCase(command_line) matches "*set-smbserverconfiguration*" OR toLowerCase(command_line) matches "*sc config*")
  )
  OR (
    event_code = "13"
    AND toLowerCase(registry_target) matches "*lanmanserver*parameters*"
    AND toLowerCase(registry_target) matches "*smb1*"
    AND registry_details = "DWORD (0x00000001)"
  )
  OR (
    toLowerCase(process_image) matches "*\\bcdedit.exe"
    AND (toLowerCase(command_line) matches "*testsigning*" OR toLowerCase(command_line) matches "*bootmgr*")
  )
| if (toLowerCase(process_image) matches "*powershell*" AND toLowerCase(command_line) matches "*-version*", "PowerShell_Downgrade",
  if (toLowerCase(command_line) matches "*smb1*", "SMBv1_Enable",
  if (event_code = "13" AND toLowerCase(registry_target) matches "*smb1*", "SMBv1_Registry",
  if (toLowerCase(process_image) matches "*bcdedit*", "SecureBoot_Downgrade", "Other")))) as detection_type
| fields _messagetime, _sourceHost, username, process_image, command_line, parent_image, registry_target, registry_details, detection_type, event_code
| sort by _messagetime desc

high severity high confidence

Data Sources

Sysmon Windows Security Events

Required Tables

windows/sysmon windows/security

False Positives

Legacy application support teams running PowerShell v2 compatibility tests during software qualification cycles
Network administrators re-enabling SMBv1 temporarily to support file transfers from legacy embedded systems or older NAS appliances
Windows patch management tools or WSUS processes that may modify boot configuration entries during update cycles

Google Chronicle / SecOps

yaral

rule downgrade_attack_t1562_010 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects downgrade attacks: PowerShell version downgrade, SMBv1 enablement, and Secure Boot downgrade via bcdedit"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1562.010"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    (
      // PowerShell version downgrade
      $e.metadata.event_type = "PROCESS_LAUNCH"
      AND (
        re.regex($e.principal.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`)
        OR re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`)
      )
      AND re.regex($e.target.process.command_line, `(?i)-[Vv]ersion\s+[12]\b`)
    )
    OR (
      // SMBv1 enablement via commands
      $e.metadata.event_type = "PROCESS_LAUNCH"
      AND (
        re.regex($e.target.process.command_line, `(?i)(SMB1Protocol|mrxsmb10|lanmanworkstation)`)
        AND re.regex($e.target.process.command_line, `(?i)(Enable-WindowsOptionalFeature|Set-SmbServerConfiguration|sc\s+config)`)
      )
    )
    OR (
      // SMBv1 registry modification
      $e.metadata.event_type = "REGISTRY_MODIFICATION"
      AND re.regex($e.target.registry.registry_key, `(?i)LANMANSERVER\\Parameters`)
      AND $e.target.registry.registry_value_name = "SMB1"
      AND $e.target.registry.registry_value_data = "1"
    )
    OR (
      // Secure Boot downgrade via bcdedit
      $e.metadata.event_type = "PROCESS_LAUNCH"
      AND re.regex($e.target.process.file.full_path, `(?i)bcdedit\.exe$`)
      AND re.regex($e.target.process.command_line, `(?i)(testsigning|bootmgr|winload|rollback|downgrade)`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Windows Event Logs Sysmon Endpoint Detection

Required Tables

UDM Events - PROCESS_LAUNCH UDM Events - REGISTRY_MODIFICATION

False Positives

IT asset management tools enumerating or validating SMBv1 status across the environment without enabling it
PowerShell ISE or VS Code extension tests that invoke specific PowerShell engine versions for IDE compatibility checks
Dual-boot or virtualization configuration tools that legitimately modify BCD entries during setup or recovery

CrowdStrike LogScale (CQL)

cql

// T1562.010 - Downgrade Attack Detection
#event_simpleName = ProcessRollup2
| CommandLine = /(?i)(powershell|pwsh)\.exe.*-[Vv]ersion\s+[12]\b/
  OR (
    CommandLine = /(?i)(SMB1Protocol|mrxsmb10|lanmanworkstation)/
    AND CommandLine = /(?i)(Enable-WindowsOptionalFeature|Set-SmbServerConfiguration|sc\s+config)/
  )
  OR (
    FileName = /(?i)bcdedit\.exe/
    AND CommandLine = /(?i)(testsigning|bootmgr|winload|rollback|downgrade)/
  )
| eval DetectionType = case(
    match(lower(CommandLine), "(powershell|pwsh).*-version\s+[12]"), "PowerShell_Downgrade",
    match(lower(CommandLine), "(smb1protocol|mrxsmb10)"), "SMBv1_Enable",
    match(lower(FileName), "bcdedit"), "SecureBoot_Downgrade",
    "Other_Downgrade"
  )
| table([_timeutc, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionType])
| sort(field=_timeutc, order=desc)

// Registry-based SMBv1 detection (run separately)
// #event_simpleName = RegValueUpdate
// | TargetObject = /(?i)LANMANSERVER\\Parameters.*SMB1/
// | RegistryValueData = /^(1|0x00000001)$/
// | table([_timeutc, ComputerName, UserName, TargetObject, RegistryValueData, RegOperationType])
// | sort(field=_timeutc, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor Endpoint Process Telemetry Registry Telemetry

Required Tables

ProcessRollup2 RegValueUpdate

False Positives

Authorized penetration testers or red team operators executing PowerShell downgrade as part of a sanctioned engagement
Legacy print server or NAS device onboarding that requires temporary SMBv1 re-enablement by infrastructure teams
Windows Deployment Services (WDS) or MDT boot image creation tasks that modify BCD boot manager configuration entries

Downgrade Attack

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections