1. Home
  2. ATT&CK Techniques
  3. T1553 Subvert Trust Controls

T1553 Subvert Trust Controls Mappings

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.

Adversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct File and Directory Permissions Modification or Modify Registry in support of subverting these controls.(Citation: SpectorOps Subverting Trust Sept 2017) Adversaries may also create or steal code signing certificates to acquire trust on target systems.(Citation: Securelist Digital Certificates)(Citation: Symantec Digital Certificates)

View in MITRE ATT&CK®

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1553 Subvert Trust Controls
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1553 Subvert Trust Controls
action.malware.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1553 Subvert Trust Controls
action.social.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1553 Subvert Trust Controls

GCP Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
cloud_hsm Cloud Hardware Security Module (HSM) technique_scores T1553 Subvert Trust Controls
Comments
Google Cloud's HSM may protect against adversary's attempts to undermine trusted controls and conduct nefarious activity or execute malicious programs. Variations of this technique are difficult to mitigate, so a partial score was granted for this control's medium to high coverage factor.
References
  1. ['https://cloud.google.com/kms/docs/hsm']
cloud_key_management Cloud Key Management technique_scores T1553 Subvert Trust Controls
Comments
Protects against trust mechanisms and stealing of code signing certificates
References
  1. ['https://cloud.google.com/security-key-management']

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
aws_cloudhsm AWS CloudHSM technique_scores T1553 Subvert Trust Controls
Comments
This service provides protection against sub-techniques involved with stealing credentials, certificates, and keys from the organization.
References
  1. https://aws.amazon.com/cloudhsm/
  2. https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-cases.html
  3. https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1553.001 Gatekeeper Bypass 1
T1553.002 Code Signing 2
T1553.003 SIP and Trust Provider Hijacking 1
T1553.006 Code Signing Policy Modification 1
T1553.005 Mark-of-the-Web Bypass 1
T1553.004 Install Root Certificate 2