Detect Downgrade Attack in Splunk
Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system's backward compatibility to force it into less secure modes of operation. Adversaries may downgrade and use various less-secure versions of features of a system, such as Command and Scripting Interpreters or even network protocols that can be abused to enable Adversary-in-the-Middle or Network Sniffing. For example, PowerShell versions 5+ include Script Block Logging (SBL), which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL to evade detection. Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection. On Windows systems, adversaries may downgrade the boot manager to a vulnerable version that bypasses Secure Boot.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.010 Downgrade Attack
- Canonical reference
- https://attack.mitre.org/techniques/T1562/010/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
((Image="*\\powershell.exe" OR Image="*\\pwsh.exe") AND (CommandLine="*-version 2*" OR CommandLine="*-Version 2*" OR CommandLine="*-version 1*" OR CommandLine="*-Version 1*"))
OR
((CommandLine="*SMB1Protocol*" OR CommandLine="*SMB1*" OR CommandLine="*mrxsmb10*") AND (CommandLine="*Enable-WindowsOptionalFeature*" OR CommandLine="*Set-SmbServerConfiguration*" OR CommandLine="*sc config*"))
| eval CommandLine=lower(CommandLine)
| eval PSDowngrade=if(match(CommandLine, "powershell.*-version\s+[12]"), 1, 0)
| eval SMBv1Enable=if(match(CommandLine, "(smb1protocol|smb1|mrxsmb10)"), 1, 0)
| eval DetectionType=case(
PSDowngrade=1, "PowerShell_Downgrade",
SMBv1Enable=1, "SMBv1_Enable",
1=1, "Other_Downgrade"
)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionType, PSDowngrade, SMBv1Enable
| sort - _time
| append [
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
TargetObject="*LANMANSERVER\\Parameters*" Details="DWORD (0x00000001)"
TargetObject="*SMB1*"
| eval DetectionType="SMBv1_Registry"
| table _time, host, User, Image, TargetObject, Details, DetectionType
| sort - _time
]Detects downgrade attacks using Sysmon Event ID 1 (Process Creation) for PowerShell version downgrade and SMBv1 enablement commands, plus Sysmon Event ID 13 (Registry Value Set) for direct SMBv1 registry modifications. Assigns DetectionType labels to distinguish between PowerShell downgrade, SMBv1 enablement, and other downgrade patterns.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legacy application compatibility testing that requires PowerShell v2 for older SCCM or compliance scripts
- IT administrators enabling SMBv1 temporarily to support legacy network devices (printers, scanners, NAS)
- Configuration audit scripts that enumerate Windows optional features including SMB1Protocol
- Development teams testing protocol downgrade scenarios in isolated lab environments
Other platforms for T1562.010
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Version 2 Downgrade
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '-Version 2'. Note: Script Block Logging (Event ID 4104) will NOT capture the executed commands if the v2 engine loaded successfully. Security Event ID 4688 will still show the command line.
- Test 2Enable SMBv1 Protocol via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'Set-SmbServerConfiguration' and 'EnableSMB1Protocol'. Sysmon Event ID 13: Registry Value Set for HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 set to 1. SMBServer Operational Event ID 3000.
- Test 3Enable SMBv1 via Windows Optional Feature
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'Enable-WindowsOptionalFeature' and 'SMB1Protocol'. DISM operational events may also be generated. The feature state change persists across reboots.
References (8)
- https://attack.mitre.org/techniques/T1562/010/
- https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/
- https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique
- https://nsfocusglobal.com/attack-and-defense-around-powershell-event-logging/
- https://www.safebreach.com/blog/downgrade-attacks-using-windows-updates/
- https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/
- https://www.crowdstrike.com/cybersecurity-101/attack-types/downgrade-attacks/
- https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
Unlock Pro Content
Get the full detection package for T1562.010 including response playbook, investigation guide, and atomic red team tests.