Service Downgrade

Service downgrade is a sophisticated subtechnique used by attackers during the Deepening Control phase to bypass or weaken runtime protection mechanisms. Rather than completely disabling security services, which might trigger alerts, attackers deliberately manipulate configuration settings to downgrade a protection service to a weaker version or enforcement level. This typically involves modifying registry keys, configuration files, or policy settings to force the use of outdated, vulnerable, or less capable protection modes. For example, an attacker might reconfigure a modern antivirus to use signature-based detection only (disabling heuristic and behavioral analysis), downgrade TLS version requirements to allow exploitable encryption protocols, or modify endpoint detection and response (EDR) tools to run in "audit-only" mode instead of active protection. The technique is particularly insidious because the security service appears to remain operational, potentially passing basic health checks, while its actual protective capabilities have been severely compromised—allowing attackers to operate with reduced scrutiny while maintaining their foothold in the environment.