Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, PowerShell versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to Impair Defenses while running malicious scripts that may have otherwise been detected.[1][2]
Adversaries may downgrade and use less-secure versions of various features of a system, such as Command and Scripting Interpreters or even network protocols that can be abused to enable Adversary-in-the-Middle.[3]
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program |
Consider removing previous versions of tools that are unnecessary to the environment when possible. |
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0009 | Process | Process Creation |
| Process Metadata |
Monitor for commands or other activity that may be indicative of attempts to abuse older or deprecated technologies (ex: powershell –v 2). Also monitor for other abnormal events, such as execution of and/or processes spawning from a version of a tool that is not expected in the environment.