Detect Downgrade Attack in Sumo Logic CSE
Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system's backward compatibility to force it into less secure modes of operation. Adversaries may downgrade and use various less-secure versions of features of a system, such as Command and Scripting Interpreters or even network protocols that can be abused to enable Adversary-in-the-Middle or Network Sniffing. For example, PowerShell versions 5+ include Script Block Logging (SBL), which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL to evade detection. Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection. On Windows systems, adversaries may downgrade the boot manager to a vulnerable version that bypasses Secure Boot.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.010 Downgrade Attack
- Canonical reference
- https://attack.mitre.org/techniques/T1562/010/
Sumo Detection Query
_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| parse "EventCode=*" as event_code nodrop
| parse "Image=*" as process_image nodrop
| parse "CommandLine=*" as command_line nodrop
| parse "ParentImage=*" as parent_image nodrop
| parse "TargetObject=*" as registry_target nodrop
| parse "Details=*" as registry_details nodrop
| parse "User=*" as username nodrop
| where event_code in ("1", "13", "4688")
| where (
(toLowerCase(process_image) matches "*\\powershell.exe" OR toLowerCase(process_image) matches "*\\pwsh.exe")
AND (toLowerCase(command_line) matches "*-version 2*" OR toLowerCase(command_line) matches "*-version 1*")
)
OR (
(toLowerCase(command_line) matches "*smb1protocol*" OR toLowerCase(command_line) matches "*mrxsmb10*")
AND (toLowerCase(command_line) matches "*enable-windowsoptionalfeature*" OR toLowerCase(command_line) matches "*set-smbserverconfiguration*" OR toLowerCase(command_line) matches "*sc config*")
)
OR (
event_code = "13"
AND toLowerCase(registry_target) matches "*lanmanserver*parameters*"
AND toLowerCase(registry_target) matches "*smb1*"
AND registry_details = "DWORD (0x00000001)"
)
OR (
toLowerCase(process_image) matches "*\\bcdedit.exe"
AND (toLowerCase(command_line) matches "*testsigning*" OR toLowerCase(command_line) matches "*bootmgr*")
)
| if (toLowerCase(process_image) matches "*powershell*" AND toLowerCase(command_line) matches "*-version*", "PowerShell_Downgrade",
if (toLowerCase(command_line) matches "*smb1*", "SMBv1_Enable",
if (event_code = "13" AND toLowerCase(registry_target) matches "*smb1*", "SMBv1_Registry",
if (toLowerCase(process_image) matches "*bcdedit*", "SecureBoot_Downgrade", "Other")))) as detection_type
| fields _messagetime, _sourceHost, username, process_image, command_line, parent_image, registry_target, registry_details, detection_type, event_code
| sort by _messagetime descSumo Logic query detecting T1562.010 downgrade attack techniques including PowerShell engine version downgrade (to bypass Script Block Logging), SMBv1 protocol enablement commands, SMBv1 registry modifications, and Secure Boot downgrade via bcdedit. Ingests Sysmon event codes 1 and 13 along with Windows Security Event 4688.
Data Sources
Required Tables
False Positives & Tuning
- Legacy application support teams running PowerShell v2 compatibility tests during software qualification cycles
- Network administrators re-enabling SMBv1 temporarily to support file transfers from legacy embedded systems or older NAS appliances
- Windows patch management tools or WSUS processes that may modify boot configuration entries during update cycles
Other platforms for T1562.010
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell Version 2 Downgrade
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing '-Version 2'. Note: Script Block Logging (Event ID 4104) will NOT capture the executed commands if the v2 engine loaded successfully. Security Event ID 4688 will still show the command line.
- Test 2Enable SMBv1 Protocol via PowerShell
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'Set-SmbServerConfiguration' and 'EnableSMB1Protocol'. Sysmon Event ID 13: Registry Value Set for HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 set to 1. SMBServer Operational Event ID 3000.
- Test 3Enable SMBv1 via Windows Optional Feature
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'Enable-WindowsOptionalFeature' and 'SMB1Protocol'. DISM operational events may also be generated. The feature state change persists across reboots.
References (8)
- https://attack.mitre.org/techniques/T1562/010/
- https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/
- https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique
- https://nsfocusglobal.com/attack-and-defense-around-powershell-event-logging/
- https://www.safebreach.com/blog/downgrade-attacks-using-windows-updates/
- https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/
- https://www.crowdstrike.com/cybersecurity-101/attack-types/downgrade-attacks/
- https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
Unlock Pro Content
Get the full detection package for T1562.010 including response playbook, investigation guide, and atomic red team tests.