Description
Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a system’s backward compatibility to force it into less secure modes of operation.
Adversaries may downgrade and use various less-secure versions of features of a system, such as Command and Scripting Interpreter or even network protocols that can be abused to enable Adversary-in-the-Middle or Network Sniffing.(Citation: Praetorian TLS Downgrade Attack 2014) For example, PowerShell versions 5+ includes Script Block Logging (SBL), which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to impair defenses while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike downgrade attack)(Citation: Google Cloud downgrade attack)(Citation: att_def_ps_logging)
Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.(Citation: Targeted SSL Stripping Attacks Are Real)(Citation: CrowdStrike Downgrade attack 2) On Windows systems, adversaries may downgrade the boot manager to a vulnerable version that bypasses Secure Boot, granting the ability to disable various operating system security mechanisms.(Citation: SafeBreach)
Platforms
Mitigations (2)
Software ConfigurationM1054
Consider implementing policies on internal web servers, such HTTP Strict Transport Security, that enforce the use of HTTPS/network traffic encryption to prevent insecure connections.(Citation: Chromium HSTS)
Disable or Remove Feature or ProgramM1042
Consider removing previous versions of tools that are unnecessary to the environment when possible.
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S0692 | SILENTTRINITY | Tool | [SILENTTRINITY](https://attack.mitre.org/software/S0692) can downgrade NTLM to capture NTLM hashes.(Citation: Github_SILENTTRINITY) |
| S1180 | BlackByte Ransomware | Malware | [BlackByte Ransomware](https://attack.mitre.org/software/S1180) enables SMBv1 during execution.(Citation: Trustwave BlackByte 2021) |
References
- Alon Leviev. (2024, August 7). Windows Downdate: Downgrade Attacks Using Windows Updates. Retrieved January 8, 2025.
- Bart Lenaerts-Bergmans. (2023, March 13). What are Downgrade Attacks?. Retrieved April 15, 2026.
- Check Point. (n.d.). Targeted SSL Stripping Attacks Are Real. Retrieved May 24, 2023.
- Falcon Complete Team. (2021, May 11). Response When Minutes Matter: Rising Up Against Ransomware. Retrieved April 15, 2026.
- Hao, M. (2019, February 27). Attack and Defense Around PowerShell Event Logging. Retrieved November 24, 2021.
- Nathan Kirk. (2018, June 18). Bring Your Own Land (BYOL) — A Novel Red Teaming Technique. Retrieved April 15, 2026.
- Praetorian. (2014, August 19). Man-in-the-Middle TLS Protocol Downgrade Attack. Retrieved October 8, 2021.
Frequently Asked Questions
What is T1689 (Downgrade Attack)?
T1689 is a MITRE ATT&CK technique named 'Downgrade Attack'. It belongs to the Defense Impairment tactic(s). Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls. Downgrade attacks typically take advantage of a syste...
How can T1689 be detected?
Detection of T1689 (Downgrade Attack) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1689?
There are 2 documented mitigations for T1689. Key mitigations include: Software Configuration, Disable or Remove Feature or Program.
Which threat groups use T1689?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.