MITRE ATT&CK Technique
Description
Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system’s backward compatibility to force it into less secure modes of operation. Adversaries may downgrade and use various less-secure versions of features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) or [Network Sniffing](https://attack.mitre.org/techniques/T1040).(Citation: Praetorian TLS Downgrade Attack 2014) For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL), which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)(Citation: att_def_ps_logging) Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.(Citation: Targeted SSL Stripping Attacks Are Real)(Citation: Crowdstrike Downgrade) On Windows systems, adversaries may downgrade the boot manager to a vulnerable version that bypasses Secure Boot, granting the ability to disable various operating system security mechanisms.(Citation: SafeBreach)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2021-10-08T14:06:28.212Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may downgrade or use a version of system features '
'that may be outdated, vulnerable, and/or does not support '
'updated security controls. Downgrade attacks typically take '
'advantage of a system’s backward compatibility to force it '
'into less secure modes of operation. \n'
'\n'
'Adversaries may downgrade and use various less-secure '
'versions of features of a system, such as [Command and '
'Scripting '
'Interpreter](https://attack.mitre.org/techniques/T1059)s or '
'even network protocols that can be abused to enable '
'[Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) '
'or [Network '
'Sniffing](https://attack.mitre.org/techniques/T1040).(Citation: '
'Praetorian TLS Downgrade Attack 2014) For example, '
'[PowerShell](https://attack.mitre.org/techniques/T1059/001) '
'versions 5+ includes Script Block Logging (SBL), which can '
'record executed script content. However, adversaries may '
'attempt to execute a previous version of PowerShell that does '
'not support SBL with the intent to [Impair '
'Defenses](https://attack.mitre.org/techniques/T1562) while '
'running malicious scripts that may have otherwise been '
'detected.(Citation: CrowdStrike BGH Ransomware '
'2021)(Citation: Mandiant BYOL 2018)(Citation: '
'att_def_ps_logging)\n'
'\n'
'Adversaries may similarly target network traffic to downgrade '
'from an encrypted HTTPS connection to an unsecured HTTP '
'connection that exposes network data in clear text.(Citation: '
'Targeted SSL Stripping Attacks Are Real)(Citation: '
'Crowdstrike Downgrade) On Windows systems, adversaries may '
'downgrade the boot manager to a vulnerable version that '
'bypasses Secure Boot, granting the ability to disable various '
'operating system security mechanisms.(Citation: SafeBreach)',
'external_references': [{'external_id': 'T1562.010',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1562/010'},
{'description': 'Alon Leviev. (2024, August 7). '
'Windows Downdate: Downgrade Attacks '
'Using Windows Updates. Retrieved '
'January 8, 2025.',
'source_name': 'SafeBreach',
'url': 'https://www.safebreach.com/blog/downgrade-attacks-using-windows-updates/'},
{'description': 'Bart Lenaerts-Bergman. (2023, March '
'14). WHAT ARE DOWNGRADE ATTACKS?. '
'Retrieved May 24, 2023.',
'source_name': 'Crowdstrike Downgrade',
'url': 'https://www.crowdstrike.com/cybersecurity-101/attack-types/downgrade-attacks/'},
{'description': 'Check Point. (n.d.). Targeted SSL '
'Stripping Attacks Are Real. '
'Retrieved May 24, 2023.',
'source_name': 'Targeted SSL Stripping Attacks Are '
'Real',
'url': 'https://blog.checkpoint.com/research/targeted-ssl-stripping-attacks-are-real/amp/'},
{'description': 'Falcon Complete Team. (2021, May '
'11). Response When Minutes Matter: '
'Rising Up Against Ransomware. '
'Retrieved October 8, 2021.',
'source_name': 'CrowdStrike BGH Ransomware 2021',
'url': 'https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/'},
{'description': 'Hao, M. (2019, February 27). Attack '
'and Defense Around PowerShell Event '
'Logging. Retrieved November 24, '
'2021.',
'source_name': 'att_def_ps_logging',
'url': 'https://nsfocusglobal.com/attack-and-defense-around-powershell-event-logging/'},
{'description': 'Hastings, M. (2014, July 16). '
'Investigating PowerShell Attacks. '
'Retrieved December 1, 2021.',
'source_name': 'inv_ps_attacks',
'url': 'https://powershellmagazine.com/2014/07/16/investigating-powershell-attacks/'},
{'description': 'Kirk, N. (2018, June 18). Bring Your '
'Own Land (BYOL) – A Novel Red '
'Teaming Technique. Retrieved October '
'8, 2021.',
'source_name': 'Mandiant BYOL 2018',
'url': 'https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique'},
{'description': 'Martin Smolár. (2023, March 1). '
'BlackLotus UEFI bootkit: Myth '
'confirmed. Retrieved February 11, '
'2025.',
'source_name': 'welivesecurity',
'url': 'https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/'},
{'description': 'Microsoft Incident Response. (2023, '
'April 11). Guidance for '
'investigating attacks using '
'CVE-2022-21894: The BlackLotus '
'campaign. Retrieved February 12, '
'2025.',
'source_name': 'Microsoft Security',
'url': 'https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/'},
{'description': 'Praetorian. (2014, August 19). '
'Man-in-the-Middle TLS Protocol '
'Downgrade Attack. Retrieved October '
'8, 2021.',
'source_name': 'Praetorian TLS Downgrade Attack 2014',
'url': 'https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/'}],
'id': 'attack-pattern--824add00-99a1-4b15-9a2d-6c5683b7b497',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-24T17:49:02.550Z',
'name': 'Downgrade Attack',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Mayuresh Dani, Qualys',
'Daniel Feichter, @VirtualAllocEx, Infosec Tirol',
'Arad Inbar, Fidelis Security'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows', 'Linux', 'macOS'],
'x_mitre_version': '1.3'}