title: Weaken Encryption (T1600)
id: df00tech-t1600
status: experimental
description: "This detection identifies adversary attempts to weaken or disable encryption on network devices, enabling interception or manipulation of otherwise protected traffic. The detection monitors syslog telemetry from network infrastructure (routers, switches, firewalls, VPN concentrators) for configuration changes affecting cryptographic settings, cipher suite downgrade events, IPsec/SSL policy modifications, and use of management protocols (SSH, NETCONF, SNMP write) to alter crypto configurations. It also tracks endpoint-side indicators such as suspicious use of network device management tools and connections from unexpected hosts to device management interfaces."
references:
  - https://attack.mitre.org/techniques/T1600/
  - https://df00tech.com/detections/T1600
author: df00tech
date: 2026/03/20
tags:
  - attack.t1600
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate network engineers performing scheduled cipher hardening or deprecating legacy ciphers during maintenance windows
  - "Automated network configuration management tools (Ansible, Cisco NSO, SolarWinds NCM) performing compliance-driven crypto policy updates"
  - Security assessments or penetration testing engagements that test downgrade attacks against network devices
  - Vendor-driven firmware upgrades that temporarily modify crypto settings before applying a stronger default configuration
level: high