T1553 Subvert Trust Controls Mappings

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.

Adversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct File and Directory Permissions Modification or Modify Registry in support of subverting these controls.(Citation: SpectorOps Subverting Trust Sept 2017) Adversaries may also create or steal code signing certificates to acquire trust on target systems.(Citation: Securelist Digital Certificates)(Citation: Symantec Digital Certificates)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-6 Least Privilege Protects T1553 Subvert Trust Controls
CA-8 Penetration Testing Protects T1553 Subvert Trust Controls
CM-10 Software Usage Restrictions Protects T1553 Subvert Trust Controls
CM-2 Baseline Configuration Protects T1553 Subvert Trust Controls
CM-3 Configuration Change Control Protects T1553 Subvert Trust Controls
CM-5 Access Restrictions for Change Protects T1553 Subvert Trust Controls
CM-6 Configuration Settings Protects T1553 Subvert Trust Controls
CM-7 Least Functionality Protects T1553 Subvert Trust Controls
CM-8 System Component Inventory Protects T1553 Subvert Trust Controls
IA-7 Cryptographic Module Authentication Protects T1553 Subvert Trust Controls
IA-9 Service Identification and Authentication Protects T1553 Subvert Trust Controls
RA-9 Criticality Analysis Protects T1553 Subvert Trust Controls
SA-10 Developer Configuration Management Protects T1553 Subvert Trust Controls
SA-11 Developer Testing and Evaluation Protects T1553 Subvert Trust Controls
SC-34 Non-modifiable Executable Programs Protects T1553 Subvert Trust Controls
SI-10 Information Input Validation Protects T1553 Subvert Trust Controls
SI-2 Flaw Remediation Protects T1553 Subvert Trust Controls
SI-4 System Monitoring Protects T1553 Subvert Trust Controls
SI-7 Software, Firmware, and Information Integrity Protects T1553 Subvert Trust Controls
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1553 Subvert Trust Controls
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553 Subvert Trust Controls
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1553 Subvert Trust Controls
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1553 Subvert Trust Controls

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1553.001 Gatekeeper Bypass 7
T1553.002 Code Signing 1
T1553.003 SIP and Trust Provider Hijacking 11
T1553.006 Code Signing Policy Modification 14
T1553.005 Mark-of-the-Web Bypass 7
T1553.004 Install Root Certificate 7