Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.
Adversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct File and Directory Permissions Modification or Modify Registry in support of subverting these controls.(Citation: SpectorOps Subverting Trust Sept 2017) Adversaries may also create or steal code signing certificates to acquire trust on target systems.(Citation: Securelist Digital Certificates)(Citation: Symantec Digital Certificates)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1553 | Subvert Trust Controls |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1553 | Subvert Trust Controls |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-01.02 | Least functionality | Mitigates | T1553 | Subvert Trust Controls |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
| PR.PS-01.02 | Least functionality | Mitigates | T1553 | Subvert Trust Controls |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1553 | Subvert Trust Controls |
Comments
This diagnostic statement protects against Subvert Trust Controls through the use of privileged account management and the use of multi-factor authentication.
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1553 | Subvert Trust Controls |
Comments
This diagnostic statement provides protection from Subvert Trust Controls through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to subvert trust controls.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1553 | Subvert Trust Controls |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | technique_scores | T1553 | Subvert Trust Controls |
Comments
This control can be used to detect a subset of this technique's sub-techniques while minimizing the false positive rate.
References
|
| azure_dedicated_hsm | Azure Dedicated HSM | technique_scores | T1553 | Subvert Trust Controls |
Comments
Provides protection against sub-techniques involved with stealing credentials / certificates / keys from the organization.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_hsm | Cloud Hardware Security Module (HSM) | technique_scores | T1553 | Subvert Trust Controls |
Comments
Google Cloud's HSM may protect against adversary's attempts to undermine trusted controls and conduct nefarious activity or execute malicious programs. Variations of this technique are difficult to mitigate, so a partial score was granted for this control's medium to high coverage factor.
References
|
| cloud_key_management | Cloud Key Management | technique_scores | T1553 | Subvert Trust Controls |
Comments
Protects against trust mechanisms and stealing of code signing certificates
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_cloudhsm | AWS CloudHSM | technique_scores | T1553 | Subvert Trust Controls |
Comments
This service provides protection against sub-techniques involved with stealing credentials, certificates, and keys from the organization.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1553.001 | Gatekeeper Bypass | 7 |
| T1553.002 | Code Signing | 3 |
| T1553.003 | SIP and Trust Provider Hijacking | 12 |
| T1553.006 | Code Signing Policy Modification | 19 |
| T1553.005 | Mark-of-the-Web Bypass | 7 |
| T1553.004 | Install Root Certificate | 13 |