MITRE ATT&CK T1562.010 Impair Defenses: Downgrade Attack

Downgrade Attack is a defense evasion technique that adversaries use to intentionally reduce the security posture of a system by forcing it to use weaker protocols, outdated software versions, or less secure configurations. By doing so, attackers can exploit known vulnerabilities, bypass modern security protections, and execute malicious actions with minimal resistance. This technique is particularly dangerous because it allows adversaries to weaken encryption, disable advanced security features, and evade detection by security tools that rely on up-to-date protections.

In this blog post, we explain the T1562.010 Downgrade Attack technique of the MITRE ATT&CK® framework and explore how adversaries employ Downgrade Attack with real-world attack examples in detail.

rr25-mockup1

The Red Report 2025
The 10 Most Prevalent MITRE ATT&CK Techniques Used by Adversaries

GET THE REPORT

What is a Downgrade Attack?

In a downgrade attack, adversaries convince the target system to adopt a weaker security protocol or algorithm than the one they are capable of using. Adversaries typically abuse the system's backward compatibility to force them to use an outdated or vulnerable version.

Adversary Use of Downgrade Attack

Using the Downgrade Attack technique, adversaries circumvent updated security controls and force the system into less secure modes of operation. A prime target for such manipulation includes features like Command and Scripting Interpreters, as well as network protocols, which, when downgraded, open avenues for Man-in-the-Middle (MitM) attacks or Network Sniffing.

In the scenario involving Command and Scripting Interpreters, adversaries choose to operate using less-secure versions of interpreters, such as PowerShell. PowerShell versions 5 and above incorporate advanced security features like Script Block Logging (SBL), which records executed script content. However, savvy adversaries may attempt to execute a previous version of PowerShell that lacks support for SBL. This method not only enables them to evade detection but also allows them to impair defenses while executing malicious scripts that would have otherwise been flagged and prevented by the more advanced security controls.

In the context of network protocols, adversaries often downgrade encrypted connections to unsecured counterparts, exposing network data in clear text. For example, they might target the transition from an encrypted HTTPS connection to an unsecured HTTP connection. In doing so, adversaries compromise the confidentiality and integrity of the data in transit.

This downgrade facilitates Network Sniffing, enabling the malicious actor to intercept and analyze sensitive information flowing through the network. By manipulating the security posture of network protocols, adversaries exploit the system's compatibility with less secure options to undermine the inherent protections offered by encryption. For instance, the CVE-2023-48795 vulnerability allows adversaries to launch a prefix truncation attack against SSH protocol. This attack is called the Terrapin Attack and leads to a security downgrade for SSHv2 connections during extension negotiation, causing a MitM attack [1].

One notable case involves the exploitation of vulnerabilities in the Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS). Adversaries leverage weaknesses in these protocols to force a downgrade from more secure versions to older, less secure ones, making it easier to launch attacks such as the well-known POODLE (Padding Oracle On Downgraded Legacy Encryption) attack.

In the POODLE attack, adversaries exploit the SSL/TLS downgrade to perform a padding oracle attack, compromising the confidentiality of encrypted data.

Furthermore, the exploitation of less secure versions of network protocols is evident in the manipulation of Wi-Fi protocols. Adversaries downgrade a Wi-Fi connection from the more secure WPA3 (Wi-Fi Protected Access 3) to the less secure WPA2 (Wi-Fi Protected Access 2) or even WEP (Wired Equivalent Privacy). This not only exposes the network to potential unauthorized access but also allows adversaries to exploit known vulnerabilities associated with the downgraded protocol, such as the susceptibility of WEP to key-cracking attacks. For example, the Dragonblood vulnerability found in the WPA3 protocol allows adversaries to run an offline dictionary attack by sending a downgrade-to-WPA2 request during the 4-way-handshake [2].

In August 2024, CISA reported that the Iranian APT group Fox Kitten lowered PowerShell policies to a less secure level to run malicious commands in compromised systems [3].

Ready to Simulate Real-World Threats From Red Report 2025?

References

[1] C. Jones, "SSH shaken, not stirred by Terrapin vulnerability," The Register. Available: https://www.theregister.com/2023/12/20/terrapin_attack_ssh/

[2] "Dragonblood." Available: https://wpa3.mathyvanhoef.com

[3] "Website." Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a

A downgrade attack is a technique used by adversaries to intentionally reduce a system's security posture by forcing it to use weaker protocols, outdated software versions, or less secure configurations. This allows attackers to exploit known vulnerabilities and bypass modern security protections.

Adversaries use downgrade attacks to circumvent updated security controls by forcing systems into less secure modes of operation. This includes downgrading network protocols or software features to exploit vulnerabilities and evade detection by security tools.

One example is the POODLE attack, where adversaries exploit the SSL/TLS downgrade to perform a padding oracle attack, compromising the confidentiality of encrypted data.

Downgrade attacks can expose network data in clear text by transitioning encrypted connections to unsecured ones, compromising the confidentiality and integrity of data in transit.

Downgrade attacks on Wi-Fi protocols can weaken security by transitioning from WPA3 to less secure protocols like WPA2 or WEP, exposing networks to unauthorized access and known vulnerabilities.

The Terrapin Attack is a security downgrade for SSHv2 connections during extension negotiation, which can lead to a Man-in-the-Middle attack by exploiting the CVE-2023-48795 vulnerability.

Downgrade attacks are dangerous because they weaken encryption, disable advanced security features, and allow adversaries to execute malicious actions with minimal resistance, making them difficult to detect and prevent.