T1562.010 Microsoft Sentinel · KQL

Detect Downgrade Attack in Microsoft Sentinel

Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system's backward compatibility to force it into less secure modes of operation. Adversaries may downgrade and use various less-secure versions of features of a system, such as Command and Scripting Interpreters or even network protocols that can be abused to enable Adversary-in-the-Middle or Network Sniffing. For example, PowerShell versions 5+ include Script Block Logging (SBL), which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL to evade detection. Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection. On Windows systems, adversaries may downgrade the boot manager to a vulnerable version that bypasses Secure Boot.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1562 Impair Defenses
Sub-technique
T1562.010 Downgrade Attack
Canonical reference
https://attack.mitre.org/techniques/T1562/010/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let OldPowerShellVersions = dynamic(["powershell", "-version", "-Version"]);
let SMBv1Patterns = dynamic(["SMB1Protocol", "SMB1", "\\LANMANSERVER"]);
union
(
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where FileName in~ ("powershell.exe", "pwsh.exe")
  | where ProcessCommandLine has "-version" and ProcessCommandLine has_any ("2", "1")
  | extend DowngradedVersion = extract(@"-[Vv]ersion\s+(\d+)", 1, ProcessCommandLine)
  | where DowngradedVersion in ("1", "2")
  | project Timestamp, DeviceName, AccountName, FileName,
           ProcessCommandLine, InitiatingProcessFileName,
           InitiatingProcessCommandLine, DowngradedVersion,
           DetectionType="PowerShell_Downgrade"
),
(
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where ProcessCommandLine has_any ("Enable-WindowsOptionalFeature", "Set-SmbServerConfiguration", "sc config")
  | where ProcessCommandLine has_any ("SMB1Protocol", "SMB1", "lanmanworkstation", "mrxsmb10")
  | project Timestamp, DeviceName, AccountName, FileName,
           ProcessCommandLine, InitiatingProcessFileName,
           InitiatingProcessCommandLine,
           DetectionType="SMBv1_Enable"
),
(
  DeviceRegistryEvents
  | where Timestamp > ago(24h)
  | where RegistryKey has "LANMANSERVER\\Parameters"
  | where RegistryValueName == "SMB1"
  | where RegistryValueData == "1"
  | project Timestamp, DeviceName, AccountName,
           RegistryKey, RegistryValueName, RegistryValueData,
           InitiatingProcessFileName, InitiatingProcessCommandLine,
           DetectionType="SMBv1_Registry"
),
(
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where FileName =~ "bcdedit.exe"
  | where ProcessCommandLine has_any ("bootmgr", "winload", "path", "loadoptions")
  | where ProcessCommandLine has_any ("downgrade", "rollback", "old", "testsigning")
  | project Timestamp, DeviceName, AccountName, FileName,
           ProcessCommandLine, InitiatingProcessFileName,
           InitiatingProcessCommandLine,
           DetectionType="SecureBoot_Downgrade"
)
| sort by Timestamp desc
high severity high confidence

Detects multiple downgrade attack vectors: (1) PowerShell version downgrade to v1 or v2 to evade Script Block Logging, (2) SMBv1 protocol re-enablement via PowerShell cmdlets, sc config, or direct registry modification, and (3) boot manager downgrades via bcdedit that may bypass Secure Boot. Each detection vector is labeled with a DetectionType field for analyst triage.

Data Sources

Process: Process CreationCommand: Command ExecutionWindows Registry: Windows Registry Key ModificationMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceRegistryEvents

False Positives & Tuning

  • Legacy application compatibility testing that requires PowerShell v2 — some older SCCM scripts or compliance tools explicitly invoke PowerShell v2 for backward compatibility
  • IT administrators enabling SMBv1 temporarily to support legacy network printers, scanners, or NAS devices that do not support SMBv2+
  • Windows feature management scripts that enumerate optional features including SMB1Protocol as part of a configuration audit without actually enabling it
  • Development and QA teams testing application behavior across different protocol versions in isolated lab environments
Download portable Sigma rule (.yml)

Other platforms for T1562.010

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell Version 2 Downgrade

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '-Version 2'. Note: Script Block Logging (Event ID 4104) will NOT capture the executed commands if the v2 engine loaded successfully. Security Event ID 4688 will still show the command line.

  2. Test 2Enable SMBv1 Protocol via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'Set-SmbServerConfiguration' and 'EnableSMB1Protocol'. Sysmon Event ID 13: Registry Value Set for HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 set to 1. SMBServer Operational Event ID 3000.

  3. Test 3Enable SMBv1 via Windows Optional Feature

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'Enable-WindowsOptionalFeature' and 'SMB1Protocol'. DISM operational events may also be generated. The feature state change persists across reboots.

Last updated: 2026-04-21 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1562.010 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1562Impair Defenses

Related Sub-techniques

T1562.001Disable or Modify ToolsT1562.002Disable Windows Event LoggingT1562.003Impair Command History LoggingT1562.004Disable or Modify System FirewallT1562.006Indicator BlockingT1562.007Disable or Modify Cloud FirewallT1562.008Disable or Modify Cloud LogsT1562.009Safe Mode BootT1562.011Spoof Security AlertingT1562.012Disable or Modify Linux Audit SystemT1562.013Disable or Modify Network Device Firewall

Related Techniques

T1562Impair DefensesT1562.001Disable or Modify ToolsT1059.001PowerShellT1557Adversary-in-the-MiddleT1040Network SniffingT1210Exploitation of Remote ServicesT1553.006Code Signing Policy ModificationT1542Pre-OS Boot

Same Tactic: Defense Evasion

Popular Detections