Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.
Adversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct File and Directory Permissions Modification or Modify Registry in support of subverting these controls.(Citation: SpectorOps Subverting Trust Sept 2017) Adversaries may also create or steal code signing certificates to acquire trust on target systems.(Citation: Securelist Digital Certificates)(Citation: Symantec Digital Certificates)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-6 | Least Privilege | Protects | T1553 | Subvert Trust Controls | |
| CM-10 | Software Usage Restrictions | Protects | T1553 | Subvert Trust Controls | |
| CM-2 | Baseline Configuration | Protects | T1553 | Subvert Trust Controls | |
| CM-6 | Configuration Settings | Protects | T1553 | Subvert Trust Controls | |
| CM-7 | Least Functionality | Protects | T1553 | Subvert Trust Controls | |
| IA-9 | Service Identification and Authentication | Protects | T1553 | Subvert Trust Controls | |
| SI-10 | Information Input Validation | Protects | T1553 | Subvert Trust Controls | |
| SI-4 | System Monitoring | Protects | T1553 | Subvert Trust Controls | |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1553 | Subvert Trust Controls | |
| adaptive_application_controls | Adaptive Application Controls | technique_scores | T1553 | Subvert Trust Controls |
Comments
This control only provides detection for one of this technique's sub-techniques while not providing any detection capability for the remaining sub-techniques, and therefore its coverage score is Minimal, resulting in a Minimal score.
References
|
| azure_dedicated_hsm | Azure Dedicated HSM | technique_scores | T1553 | Subvert Trust Controls |
Comments
Provides protection against sub-techniques involved with stealing credentials / certificates / keys from the organization.
References
|
| file_integrity_monitoring | File Integrity Monitoring | technique_scores | T1553 | Subvert Trust Controls |
Comments
This control can be used to detect a subset of this technique's sub-techniques while minimizing the false positive rate.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1553.002 | Code Signing | 2 |
| T1553.001 | Gatekeeper Bypass | 6 |
| T1553.004 | Install Root Certificate | 8 |
| T1553.003 | SIP and Trust Provider Hijacking | 11 |