title: Disable Crypto Hardware (T1600.002)
id: df00tech-t1600-002
status: experimental
description: "Adversaries disable a network device's dedicated hardware encryption accelerator, forcing the device to fall back to slower, software-based cryptographic operations. Hardware Security Modules (HSMs) and onboard crypto ASICs in routers, switches, and firewalls are purpose-built to perform encryption at line rate and resist tampering. Disabling them degrades cryptographic performance and may enable exploitation of weaker software cipher implementations. This technique is typically executed after gaining privileged access to network device management interfaces (via T1078.004, T1021.004, or T1601) and is most dangerous when combined with T1600.001 (Reduce Key Space) to both disable hardware protections and downgrade cipher strength, enabling adversaries to decrypt intercepted VPN or IPSec traffic."
references:
  - https://attack.mitre.org/techniques/T1600/002/
  - https://df00tech.com/detections/T1600.002
author: df00tech
date: 2026/03/13
tags:
  - attack.t1600.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Scheduled network maintenance windows where administrators update crypto engine firmware or replace hardware security modules
  - Hardware accelerator failures triggering automatic software fallback — the CRYPTO_ENGINE-4-ACCEL_FAIL syslog message may fire during genuine hardware faults
  - "Lab, staging, or development network devices where hardware crypto acceleration is intentionally disabled to reduce cost or simplify testing"
  - Vendor-initiated diagnostic procedures where TAC engineers disable hardware acceleration to isolate performance issues
  - "Automated configuration management tools (Ansible, NAPALM, NSO) pushing approved baseline configurations that include software crypto fallback settings"
level: critical