title: Downgrade Attack (T1562.010)
id: df00tech-t1562-010
status: experimental
description: "Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system's backward compatibility to force it into less secure modes of operation. Adversaries may downgrade and use various less-secure versions of features of a system, such as Command and Scripting Interpreters or even network protocols that can be abused to enable Adversary-in-the-Middle or Network Sniffing. For example, PowerShell versions 5+ include Script Block Logging (SBL), which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL to evade detection. Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection. On Windows systems, adversaries may downgrade the boot manager to a vulnerable version that bypasses Secure Boot."
references:
  - https://attack.mitre.org/techniques/T1562/010/
  - https://df00tech.com/detections/T1562.010
author: df00tech
date: 2026/04/21
tags:
  - attack.t1562.010
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legacy application compatibility testing that requires PowerShell v2 — some older SCCM scripts or compliance tools explicitly invoke PowerShell v2 for backward compatibility
  - "IT administrators enabling SMBv1 temporarily to support legacy network printers, scanners, or NAS devices that do not support SMBv2+"
  - Windows feature management scripts that enumerate optional features including SMB1Protocol as part of a configuration audit without actually enabling it
  - Development and QA teams testing application behavior across different protocol versions in isolated lab environments
level: high