T1553 Subvert Trust Controls
Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.
Adversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct File and Directory Permissions Modification or Modify Registry in support of subverting these controls.2 Adversaries may also create or steal code signing certificates to acquire trust on target systems.34
| Item | Value |
|---|---|
| ID | T1553 |
| Sub-techniques | T1553.001, T1553.002, T1553.003, T1553.004, T1553.005, T1553.006 |
| Tactics | TA0005 |
| Platforms | Linux, Windows, macOS |
| Version | 1.3 |
| Created | 05 February 2020 |
| Last Modified | 24 October 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0001 | Axiom | Axiom has used digital certificates to deliver malware.6 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1038 | Execution Prevention | System settings can prevent applications from running that haven’t been downloaded through the Apple Store (or other legitimate repositories) which can help mitigate some of these issues. Also enable application control solutions such as AppLocker and/or Device Guard to block the loading of malicious content. |
| M1028 | Operating System Configuration | Windows Group Policy can be used to manage root certificates and the Flags value of HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots can be set to 1 to prevent non-administrator users from making further root installations into their own HKCU certificate store. 1 |
| M1026 | Privileged Account Management | Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. |
| M1024 | Restrict Registry Permissions | Ensure proper permissions are set for Registry hives to prevent users from modifying keys related to SIP and trust provider components. Components may still be able to be hijacked to suitable functions already present on disk if malicious modifications to Registry keys are not prevented. |
| M1054 | Software Configuration | HTTP Public Key Pinning (HPKP) is one method to mitigate potential Adversary-in-the-Middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. 5 |
References
-
Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018. ↩
-
Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018. ↩
-
Ladikov, A. (2015, January 29). Why You Shouldn’t Completely Trust Files Signed with Digital Certificates. Retrieved March 31, 2016. ↩
-
Shinotsuka, H. (2013, February 22). How Attackers Steal Private Keys from Digital Certificates. Retrieved March 31, 2016. ↩
-
Wikipedia. (2017, February 28). HTTP Public Key Pinning. Retrieved March 31, 2017. ↩
-
Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. ↩