Skip to content

T1553 Subvert Trust Controls

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.

Adversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct File and Directory Permissions Modification or Modify Registry in support of subverting these controls.2 Adversaries may also create or steal code signing certificates to acquire trust on target systems.34

Item Value
ID T1553
Sub-techniques T1553.001, T1553.002, T1553.003, T1553.004, T1553.005, T1553.006
Tactics TA0005
Platforms Linux, Windows, macOS
Version 1.1
Created 05 February 2020
Last Modified 05 May 2022

Procedure Examples

ID Name Description
G0001 Axiom Axiom has used digital certificates to deliver malware.6

Mitigations

ID Mitigation Description
M1038 Execution Prevention System settings can prevent applications from running that haven’t been downloaded through the Apple Store (or other legitimate repositories) which can help mitigate some of these issues. Also enable application control solutions such as AppLocker and/or Device Guard to block the loading of malicious content.
M1028 Operating System Configuration Windows Group Policy can be used to manage root certificates and the Flags value of HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots can be set to 1 to prevent non-administrator users from making further root installations into their own HKCU certificate store. 1
M1024 Restrict Registry Permissions Ensure proper permissions are set for Registry hives to prevent users from modifying keys related to SIP and trust provider components. Components may still be able to be hijacked to suitable functions already present on disk if malicious modifications to Registry keys are not prevented.
M1054 Software Configuration HTTP Public Key Pinning (HPKP) is one method to mitigate potential Adversary-in-the-Middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. 5

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Metadata
DS0011 Module Module Load
DS0009 Process Process Creation
DS0024 Windows Registry Windows Registry Key Creation

References

  1. Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018. 

  2. Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018. 

  3. Ladikov, A. (2015, January 29). Why You Shouldn’t Completely Trust Files Signed with Digital Certificates. Retrieved March 31, 2016. 

  4. Shinotsuka, H. (2013, February 22). How Attackers Steal Private Keys from Digital Certificates. Retrieved March 31, 2016. 

  5. Wikipedia. (2017, February 28). HTTP Public Key Pinning. Retrieved March 31, 2017. 

  6. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. 

  7. Smith, T. (2016, October 27). AppUNBlocker: Bypassing AppLocker. Retrieved December 19, 2017. 

  8. Entrust Datacard. (2017, August 16). How do I enable CAPI 2.0 logging in Windows Vista, Windows 7 and Windows 2008 Server?. Retrieved January 31, 2018. 

  9. Microsoft. (2016, August 31). Registry (Global Object Access Auditing). Retrieved January 31, 2018. 

  10. Microsoft. (2012, July 2). Audit Registry. Retrieved January 31, 2018.