T1553 Subvert Trust Controls

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.

Adversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct File and Directory Permissions Modification or Modify Registry in support of subverting these controls.(Citation: SpectorOps Subverting Trust Sept 2017) Adversaries may also create or steal code signing certificates to acquire trust on target systems.(Citation: Securelist Digital Certificates)(Citation: Symantec Digital Certificates)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-01.01 Configuration baselines Mitigates T1553 Subvert Trust Controls
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
    PR.PS-01.02 Least functionality Mitigates T1553 Subvert Trust Controls
    Comments
    This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
    References
      PR.AA-05.02 Privileged system access Mitigates T1553 Subvert Trust Controls
      Comments
      This diagnostic statement protects against Subvert Trust Controls through the use of privileged account management and the use of multi-factor authentication.
      References
        PR.PS-01.03 Configuration deviation Mitigates T1553 Subvert Trust Controls
        Comments
        This diagnostic statement provides protection from Subvert Trust Controls through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baselining and integrity checking can help protect against adversaries attempting to subvert trust controls.
        References
          PR.IR-01.06 Production environment segregation Mitigates T1553 Subvert Trust Controls
          Comments
          This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
          References

            NIST 800-53 Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            CM-06 Configuration Settings mitigates T1553 Subvert Trust Controls
            CM-05 Access Restrictions for Change mitigates T1553 Subvert Trust Controls
            IA-09 Service Identification and Authentication mitigates T1553 Subvert Trust Controls
            SA-10 Developer Configuration Management mitigates T1553 Subvert Trust Controls
            IA-07 Cryptographic Module Authentication mitigates T1553 Subvert Trust Controls
            CM-10 Software Usage Restrictions mitigates T1553 Subvert Trust Controls
            RA-09 Criticality Analysis mitigates T1553 Subvert Trust Controls
            SC-34 Non-modifiable Executable Programs mitigates T1553 Subvert Trust Controls
            SI-02 Flaw Remediation mitigates T1553 Subvert Trust Controls
            CM-08 System Component Inventory mitigates T1553 Subvert Trust Controls
            SI-10 Information Input Validation mitigates T1553 Subvert Trust Controls
            SI-07 Software, Firmware, and Information Integrity mitigates T1553 Subvert Trust Controls
            CM-02 Baseline Configuration mitigates T1553 Subvert Trust Controls
            CM-02 Baseline Configuration mitigates T1553 Subvert Trust Controls
            SA-11 Developer Testing and Evaluation mitigates T1553 Subvert Trust Controls
            CM-07 Least Functionality mitigates T1553 Subvert Trust Controls
            SI-04 System Monitoring mitigates T1553 Subvert Trust Controls
            AC-06 Least Privilege mitigates T1553 Subvert Trust Controls
            AC-03 Access Enforcement mitigates T1553 Subvert Trust Controls
            AC-02 Account Management mitigates T1553 Subvert Trust Controls
            CM-03 Configuration Change Control mitigates T1553 Subvert Trust Controls

            VERIS Mappings

            Azure Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring technique_scores T1553 Subvert Trust Controls
            Comments
            This control can be used to detect a subset of this technique's sub-techniques while minimizing the false positive rate.
            References
            azure_dedicated_hsm Azure Dedicated HSM technique_scores T1553 Subvert Trust Controls
            Comments
            Provides protection against sub-techniques involved with stealing credentials / certificates / keys from the organization.
            References

            GCP Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            cloud_hsm Cloud Hardware Security Module (HSM) technique_scores T1553 Subvert Trust Controls
            Comments
            Google Cloud's HSM may protect against adversary's attempts to undermine trusted controls and conduct nefarious activity or execute malicious programs. Variations of this technique are difficult to mitigate, so a partial score was granted for this control's medium to high coverage factor.
            References
            cloud_key_management Cloud Key Management technique_scores T1553 Subvert Trust Controls
            Comments
            Protects against trust mechanisms and stealing of code signing certificates
            References

            AWS Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            aws_cloudhsm AWS CloudHSM technique_scores T1553 Subvert Trust Controls
            Comments
            This service provides protection against sub-techniques involved with stealing credentials, certificates, and keys from the organization.
            References

            ATT&CK Subtechniques

            Technique ID Technique Name Number of Mappings
            T1553.001 Gatekeeper Bypass 7
            T1553.002 Code Signing 3
            T1553.003 SIP and Trust Provider Hijacking 12
            T1553.006 Code Signing Policy Modification 19
            T1553.005 Mark-of-the-Web Bypass 7
            T1553.004 Install Root Certificate 13