T1562.010 Elastic Security · Elastic

Detect Downgrade Attack in Elastic Security

Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system's backward compatibility to force it into less secure modes of operation. Adversaries may downgrade and use various less-secure versions of features of a system, such as Command and Scripting Interpreters or even network protocols that can be abused to enable Adversary-in-the-Middle or Network Sniffing. For example, PowerShell versions 5+ include Script Block Logging (SBL), which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL to evade detection. Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection. On Windows systems, adversaries may downgrade the boot manager to a vulnerable version that bypasses Secure Boot.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1562 Impair Defenses
Sub-technique
T1562.010 Downgrade Attack
Canonical reference
https://attack.mitre.org/techniques/T1562/010/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
[
  any where (
    (
      event.category == "process" and
      process.name in~ ("powershell.exe", "pwsh.exe") and
      process.args : ("-version", "-Version") and
      process.command_line : ("*-version 2*", "*-Version 2*", "*-version 1*", "*-Version 1*")
    ) or
    (
      event.category == "process" and
      process.command_line : ("*SMB1Protocol*", "*SMB1*", "*mrxsmb10*") and
      process.command_line : ("*Enable-WindowsOptionalFeature*", "*Set-SmbServerConfiguration*", "*sc config*")
    ) or
    (
      event.category == "process" and
      process.name =~ "bcdedit.exe" and
      process.command_line : ("*bootmgr*", "*winload*") and
      process.command_line : ("*testsigning*", "*downgrade*", "*rollback*")
    ) or
    (
      event.category == "registry" and
      registry.path : "*LANMANSERVER\\Parameters*" and
      registry.value == "SMB1" and
      registry.data.strings : ("1", "0x00000001")
    )
  )
] by host.name
high severity high confidence

Detects downgrade attacks including PowerShell version downgrade (bypassing Script Block Logging), SMBv1 re-enablement, and Secure Boot downgrade via bcdedit. Covers process command line patterns and registry modifications associated with T1562.010.

Data Sources

EndpointWindows Event LogsSysmon

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.registry-*logs-windows.sysmon_operational-*

False Positives & Tuning

  • Legacy application compatibility testing by IT teams explicitly running PowerShell v2 for validation purposes
  • System administrators enabling SMBv1 for legacy device support in environments with older NAS devices or printers that require it
  • Security researchers or red team operators conducting authorized downgrade testing in lab environments
Download portable Sigma rule (.yml)

Other platforms for T1562.010

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Version 2 Downgrade

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '-Version 2'. Note: Script Block Logging (Event ID 4104) will NOT capture the executed commands if the v2 engine loaded successfully. Security Event ID 4688 will still show the command line.

  2. Test 2Enable SMBv1 Protocol via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'Set-SmbServerConfiguration' and 'EnableSMB1Protocol'. Sysmon Event ID 13: Registry Value Set for HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 set to 1. SMBServer Operational Event ID 3000.

  3. Test 3Enable SMBv1 via Windows Optional Feature

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'Enable-WindowsOptionalFeature' and 'SMB1Protocol'. DISM operational events may also be generated. The feature state change persists across reboots.

Last updated: 2026-04-21 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1562.010 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1562Impair Defenses

Related Sub-techniques

T1562.001Disable or Modify ToolsT1562.002Disable Windows Event LoggingT1562.003Impair Command History LoggingT1562.004Disable or Modify System FirewallT1562.006Indicator BlockingT1562.007Disable or Modify Cloud FirewallT1562.008Disable or Modify Cloud LogsT1562.009Safe Mode BootT1562.011Spoof Security AlertingT1562.012Disable or Modify Linux Audit SystemT1562.013Disable or Modify Network Device Firewall

Related Techniques

T1562Impair DefensesT1562.001Disable or Modify ToolsT1059.001PowerShellT1557Adversary-in-the-MiddleT1040Network SniffingT1210Exploitation of Remote ServicesT1553.006Code Signing Policy ModificationT1542Pre-OS Boot

Same Tactic: Defense Evasion

Popular Detections