Impair Defenses: Downgrade Attack

Created the Tuesday 07 February 2023. Updated 6 months, 3 weeks ago.

Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, PowerShell versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to Impair Defenses while running malicious scripts that may have otherwise been detected.

Adversaries may downgrade and use less-secure versions of various features of a system, such as Command and Scripting Interpreters or even network protocols that can be abused to enable Adversary-in-the-Middle.

Technique Identifier

T1562.010

Technique Tags

Defense Evasion downgrading Windows Script Block Logging (SBL) removing features execute malicious scripts Adversary-in-the-Middle.

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Impair Defenses: Downgrade Attack, Sub-technique T1562.010 - Enterprise | MITRE ATT&CK®