Subvert Trust Controls (T1553)
Tactic: Defense Impairment · Platforms: Linux, macOS, Windows
The interactive view maps 1 detection strategy, 5 mitigations, 1 threat group, 1 software entry to this technique, alongside D3FEND countermeasures and data-component coverage.
Overview
Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.
Adversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct File and Directory Permissions Modification or Modify Registry in support of subverting these controls. Adversaries may also create or steal code signing certificates to acquire trust on target systems.
Sub-techniques
- Gatekeeper Bypass (T1553.001)
- Code Signing (T1553.002)
- SIP and Trust Provider Hijacking (T1553.003)
- Install Root Certificate (T1553.004)
- Mark-of-the-Web Bypass (T1553.005)
- Code Signing Policy Modification (T1553.006)