Detect Downgrade Attack in IBM QRadar
Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system's backward compatibility to force it into less secure modes of operation. Adversaries may downgrade and use various less-secure versions of features of a system, such as Command and Scripting Interpreters or even network protocols that can be abused to enable Adversary-in-the-Middle or Network Sniffing. For example, PowerShell versions 5+ include Script Block Logging (SBL), which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL to evade detection. Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection. On Windows systems, adversaries may downgrade the boot manager to a vulnerable version that bypasses Secure Boot.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.010 Downgrade Attack
- Canonical reference
- https://attack.mitre.org/techniques/T1562/010/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
sourceip,
username,
"QIDNAME"(qid) AS event_name,
LOGSOURCENAME(logsourceid) AS log_source,
CATEGORYNAME(category) AS category_name,
"UTF8"(payload) AS raw_payload,
CASE
WHEN LOWER("UTF8"(payload)) LIKE '%powershell%' AND LOWER("UTF8"(payload)) LIKE '%-version%' AND (LOWER("UTF8"(payload)) LIKE '%version 2%' OR LOWER("UTF8"(payload)) LIKE '%version 1%')
THEN 'PowerShell_Downgrade'
WHEN (LOWER("UTF8"(payload)) LIKE '%smb1protocol%' OR LOWER("UTF8"(payload)) LIKE '%mrxsmb10%')
AND (LOWER("UTF8"(payload)) LIKE '%enable-windowsoptionalfeature%' OR LOWER("UTF8"(payload)) LIKE '%set-smbserverconfiguration%' OR LOWER("UTF8"(payload)) LIKE '%sc config%')
THEN 'SMBv1_Enable'
WHEN LOWER("UTF8"(payload)) LIKE '%lanmanserver%parameters%' AND LOWER("UTF8"(payload)) LIKE '%smb1%'
THEN 'SMBv1_Registry'
WHEN LOWER("UTF8"(payload)) LIKE '%bcdedit%' AND (LOWER("UTF8"(payload)) LIKE '%testsigning%' OR LOWER("UTF8"(payload)) LIKE '%bootmgr%')
THEN 'SecureBoot_Downgrade'
ELSE 'Unknown_Downgrade'
END AS detection_type
FROM events
WHERE
LOGSOURCETYPEID IN (12, 13, 268) -- Windows Security, Sysmon, Defender
AND starttime > NOW() - 1 DAYS
AND (
(LOWER("UTF8"(payload)) LIKE '%powershell.exe%' AND LOWER("UTF8"(payload)) LIKE '%-version 2%')
OR (LOWER("UTF8"(payload)) LIKE '%powershell.exe%' AND LOWER("UTF8"(payload)) LIKE '%-version 1%')
OR (
(LOWER("UTF8"(payload)) LIKE '%smb1protocol%' OR LOWER("UTF8"(payload)) LIKE '%mrxsmb10%')
AND (LOWER("UTF8"(payload)) LIKE '%enable-windowsoptionalfeature%' OR LOWER("UTF8"(payload)) LIKE '%set-smbserverconfiguration%')
)
OR (LOWER("UTF8"(payload)) LIKE '%lanmanserver\\parameters%' AND LOWER("UTF8"(payload)) LIKE '%smb1%' AND LOWER("UTF8"(payload)) LIKE '%0x00000001%')
OR (LOWER("UTF8"(payload)) LIKE '%bcdedit.exe%' AND LOWER("UTF8"(payload)) LIKE '%testsigning%')
)
ORDER BY starttime DESCQRadar AQL query detecting downgrade attack patterns including PowerShell version downgrade execution, SMBv1 protocol re-enablement through command-line tools, SMBv1 registry key modification, and Secure Boot downgrade attempts via bcdedit. Parses Sysmon and Windows Security event sources.
Data Sources
Required Tables
False Positives & Tuning
- IT automation scripts that configure SMBv1 for backward compatibility in mixed-OS environments with legacy network equipment
- PowerShell compatibility testing scripts that invoke older engine versions as part of application regression testing
- Boot configuration changes made during Windows feature updates or recovery operations by system administrators
Other platforms for T1562.010
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Version 2 Downgrade
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '-Version 2'. Note: Script Block Logging (Event ID 4104) will NOT capture the executed commands if the v2 engine loaded successfully. Security Event ID 4688 will still show the command line.
- Test 2Enable SMBv1 Protocol via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'Set-SmbServerConfiguration' and 'EnableSMB1Protocol'. Sysmon Event ID 13: Registry Value Set for HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 set to 1. SMBServer Operational Event ID 3000.
- Test 3Enable SMBv1 via Windows Optional Feature
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'Enable-WindowsOptionalFeature' and 'SMB1Protocol'. DISM operational events may also be generated. The feature state change persists across reboots.
References (8)
- https://attack.mitre.org/techniques/T1562/010/
- https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/
- https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique
- https://nsfocusglobal.com/attack-and-defense-around-powershell-event-logging/
- https://www.safebreach.com/blog/downgrade-attacks-using-windows-updates/
- https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/
- https://www.crowdstrike.com/cybersecurity-101/attack-types/downgrade-attacks/
- https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
Unlock Pro Content
Get the full detection package for T1562.010 including response playbook, investigation guide, and atomic red team tests.