Detect Downgrade Attack in Google Chronicle
Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system's backward compatibility to force it into less secure modes of operation. Adversaries may downgrade and use various less-secure versions of features of a system, such as Command and Scripting Interpreters or even network protocols that can be abused to enable Adversary-in-the-Middle or Network Sniffing. For example, PowerShell versions 5+ include Script Block Logging (SBL), which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL to evade detection. Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection. On Windows systems, adversaries may downgrade the boot manager to a vulnerable version that bypasses Secure Boot.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.010 Downgrade Attack
- Canonical reference
- https://attack.mitre.org/techniques/T1562/010/
YARA-L Detection Query
rule downgrade_attack_t1562_010 {
meta:
author = "Argus Detection Engineering"
description = "Detects downgrade attacks: PowerShell version downgrade, SMBv1 enablement, and Secure Boot downgrade via bcdedit"
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1562.010"
severity = "HIGH"
confidence = "HIGH"
events:
(
// PowerShell version downgrade
$e.metadata.event_type = "PROCESS_LAUNCH"
AND (
re.regex($e.principal.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`)
OR re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`)
)
AND re.regex($e.target.process.command_line, `(?i)-[Vv]ersion\s+[12]\b`)
)
OR (
// SMBv1 enablement via commands
$e.metadata.event_type = "PROCESS_LAUNCH"
AND (
re.regex($e.target.process.command_line, `(?i)(SMB1Protocol|mrxsmb10|lanmanworkstation)`)
AND re.regex($e.target.process.command_line, `(?i)(Enable-WindowsOptionalFeature|Set-SmbServerConfiguration|sc\s+config)`)
)
)
OR (
// SMBv1 registry modification
$e.metadata.event_type = "REGISTRY_MODIFICATION"
AND re.regex($e.target.registry.registry_key, `(?i)LANMANSERVER\\Parameters`)
AND $e.target.registry.registry_value_name = "SMB1"
AND $e.target.registry.registry_value_data = "1"
)
OR (
// Secure Boot downgrade via bcdedit
$e.metadata.event_type = "PROCESS_LAUNCH"
AND re.regex($e.target.process.file.full_path, `(?i)bcdedit\.exe$`)
AND re.regex($e.target.process.command_line, `(?i)(testsigning|bootmgr|winload|rollback|downgrade)`)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting T1562.010 downgrade attacks. Covers PowerShell engine version downgrade to bypass Script Block Logging, SMBv1 re-enablement via PowerShell/sc.exe commands, SMBv1 registry key modification (LANMANSERVER Parameters), and Secure Boot bypass via bcdedit. Uses UDM process and registry event models.
Data Sources
Required Tables
False Positives & Tuning
- IT asset management tools enumerating or validating SMBv1 status across the environment without enabling it
- PowerShell ISE or VS Code extension tests that invoke specific PowerShell engine versions for IDE compatibility checks
- Dual-boot or virtualization configuration tools that legitimately modify BCD entries during setup or recovery
Other platforms for T1562.010
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Version 2 Downgrade
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '-Version 2'. Note: Script Block Logging (Event ID 4104) will NOT capture the executed commands if the v2 engine loaded successfully. Security Event ID 4688 will still show the command line.
- Test 2Enable SMBv1 Protocol via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'Set-SmbServerConfiguration' and 'EnableSMB1Protocol'. Sysmon Event ID 13: Registry Value Set for HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 set to 1. SMBServer Operational Event ID 3000.
- Test 3Enable SMBv1 via Windows Optional Feature
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'Enable-WindowsOptionalFeature' and 'SMB1Protocol'. DISM operational events may also be generated. The feature state change persists across reboots.
References (8)
- https://attack.mitre.org/techniques/T1562/010/
- https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/
- https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique
- https://nsfocusglobal.com/attack-and-defense-around-powershell-event-logging/
- https://www.safebreach.com/blog/downgrade-attacks-using-windows-updates/
- https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/
- https://www.crowdstrike.com/cybersecurity-101/attack-types/downgrade-attacks/
- https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
Unlock Pro Content
Get the full detection package for T1562.010 including response playbook, investigation guide, and atomic red team tests.