Description
Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.
Adversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct File and Directory Permissions Modification or Modify Registry in support of subverting these controls.(Citation: SpectorOps Subverting Trust Sept 2017) Adversaries may also create or steal code signing certificates to acquire trust on target systems.(Citation: Securelist Digital Certificates)(Citation: Symantec Digital Certificates)
Platforms
Sub-Techniques (6)
Gatekeeper Bypass
T1553.002Code Signing
T1553.003SIP and Trust Provider Hijacking
T1553.004Install Root Certificate
T1553.005Mark-of-the-Web Bypass
T1553.006Code Signing Policy Modification
Mitigations (5)
Execution PreventionM1038
System settings can prevent applications from running that haven't been downloaded through the Apple Store (or other legitimate repositories) which can help mitigate some of these issues. Also enable application control solutions such as AppLocker and/or Device Guard to block the loading of malicious content.
Operating System ConfigurationM1028
Windows Group Policy can be used to manage root certificates and the Flags value of HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\ProtectedRoots can be set to 1 to prevent non-administrator users from making further root installations into their own HKCU certificate store. (Citation: SpectorOps Code Signing Dec 2017)
Privileged Account ManagementM1026
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.
Restrict Registry PermissionsM1024
Ensure proper permissions are set for Registry hives to prevent users from modifying keys related to SIP and trust provider components. Components may still be able to be hijacked to suitable functions already present on disk if malicious modifications to Registry keys are not prevented.
Software ConfigurationM1054
HTTP Public Key Pinning (HPKP) is one method to mitigate potential Adversary-in-the-Middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. (Citation: Wikipedia HPKP)
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0001 | Axiom | [Axiom](https://attack.mitre.org/groups/G0001) has used digital certificates to deliver malware.(Citation: Novetta-Axiom) |
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S9008 | Shai-Hulud | Malware | [Shai-Hulud](https://attack.mitre.org/software/S9008) has suppressed victim NPM warnings using `process[“exit’](0x0);` which results in having all err... |
References
- Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018.
- Ladikov, A. (2015, January 29). Why You Shouldn’t Completely Trust Files Signed with Digital Certificates. Retrieved March 31, 2016.
- Shinotsuka, H. (2013, February 22). How Attackers Steal Private Keys from Digital Certificates. Retrieved March 31, 2016.
Frequently Asked Questions
What is T1553 (Subvert Trust Controls)?
T1553 is a MITRE ATT&CK technique named 'Subvert Trust Controls'. It belongs to the Defense Impairment tactic(s). Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms...
How can T1553 be detected?
Detection of T1553 (Subvert Trust Controls) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1553?
There are 5 documented mitigations for T1553. Key mitigations include: Execution Prevention, Operating System Configuration, Privileged Account Management, Restrict Registry Permissions, Software Configuration.
Which threat groups use T1553?
Known threat groups using T1553 include: Axiom.