Esc

Subvert Trust Controls - T1553

(ATT&CK® Technique)

Subtechniques

Definition

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1553["Subvert Trust Controls"] --> |modifies| FileSystemMetadata["File System Metadata"]; class T1553 OffensiveTechniqueNode;
        class FileSystemMetadata ArtifactNode; click FileSystemMetadata href "/dao/artifact/d3f:FileSystemMetadata";
        click T1553 href "/offensive-technique/attack/T1553/"; click FileSystemMetadata href "/dao/artifact/d3f:FileSystemMetadata"; T1553["Subvert Trust Controls"] --> |modifies| CertificateTrustStore["Certificate Trust Store"]; class T1553 OffensiveTechniqueNode;
        class CertificateTrustStore ArtifactNode; click CertificateTrustStore href "/dao/artifact/d3f:CertificateTrustStore";
        click T1553 href "/offensive-technique/attack/T1553/"; click CertificateTrustStore href "/dao/artifact/d3f:CertificateTrustStore"; T1553["Subvert Trust Controls"] --> |modifies| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1553 OffensiveTechniqueNode;
        class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord";
        click T1553 href "/offensive-technique/attack/T1553/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord";                                        RestoreConfiguration["Restore Configuration"] -->
          | restores | SystemConfigurationDatabaseRecord["System Configuration Database Record"];

          RestoreConfiguration["Restore Configuration"] -.->
            | may-restore | T1553["Subvert Trust Controls"] ;
          class RestoreConfiguration DefensiveTechniqueNode;
          class SystemConfigurationDatabaseRecord ArtifactNode;
          click RestoreConfiguration href "/technique/d3f:RestoreConfiguration";

json