Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1553: Subvert Trust Controls

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.

Adversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct File and Directory Permissions Modification or Modify Registry in support of subverting these controls.[1] Adversaries may also create or steal code signing certificates to acquire trust on target systems.[2][3]

EnterpriseT1553TechniqueObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Subvert Trust Controls matters because it targets the mechanisms users, operating systems, and security tools rely on to decide whether code, websites, or files should be trusted. If those trust signals are weakened, a signed file, modified policy, root certificate, registry change, or missing download warning can allow untrusted activity to look acceptable. For leaders, this is a control-assurance problem: execution prevention, certificate trust, endpoint hardening, and audit evidence may appear strong on paper while being bypassed in practice.

Executive priority

Prioritize this technique where business operations depend on trusted software distribution, endpoint execution controls, certificate-based trust, or regulated evidence of control effectiveness. Ask whether the organization can prove that code signing materials, root certificate stores, registry permissions, operating system trust settings, and application-control policies are governed, monitored, and recoverable across Windows, macOS, and Linux environments. The relationship to sub-techniques across Gatekeeper, Code Signing, SIP/trust provider hijacking, root certificate installation, Mark-of-the-Web bypass, and code signing policy modification makes this a cross-platform resilience and compliance-readiness issue rather than a single-tool detection problem.

Technical view

ATT&CK places T1553 under defense-impairment for Linux, macOS, and Windows. The official detection field is not provided, so SOC and detection engineering teams should validate coverage around the related detection strategy: certificate, registry, and attribute manipulation. Practical validation should focus on whether changes to trust stores, code signing policy, registry permissions, file attributes such as Mark-of-the-Web, macOS Gatekeeper-related attributes, and signature-validation components are logged and reviewable. IR teams should include trust-control integrity checks in triage when suspicious execution appears to have passed normal trust prompts or application-control decisions.

Likely telemetry

  • Endpoint file metadata and attribute changes, including download-origin or quarantine-style attributes where applicable
  • Code signing validation results and certificate details for executed binaries or scripts
  • Certificate store changes, especially root certificate additions or modifications
  • Windows registry modifications tied to trust providers, code signing policy, or other trust-control settings
  • Operating system security configuration and policy change logs

Detection direction

  • Because ATT&CK provides no official detection text for T1553, treat coverage as a validation exercise rather than an assumed analytic.
  • Use the related DET0452 strategy as direction: look for subversion through certificate, registry, and attribute manipulation.
  • Tune for unauthorized or unusual changes to certificate stores, trust providers, code signing policies, file attributes, and operating system security settings.
  • Correlate trust-control changes with privileged account use, recent file execution, and application-control decisions to reduce noise.
  • Expect legitimate administrative activity, software installation, browser or certificate management, and enterprise configuration changes to create false positives; baselining approved change paths is important.

Mitigation priorities

  • Start with privileged account management so only authorized administrators or processes can alter trust-related configuration, certificate stores, registry locations, or execution policies.
  • Restrict registry permissions for sensitive Windows trust-control and policy areas where applicable.
  • Harden operating system configuration across Linux, macOS, and Windows, with attention to default trust mechanisms and security policy enforcement.
  • Use execution prevention controls to limit unauthorized or untrusted code execution, while validating that those controls cannot be silently weakened by policy or trust-store changes.
  • Review software configuration for applications that maintain their own trust stores or security settings.
Analyst notes and limits

The ATT&CK relationship set shows this parent technique has multiple platform-specific sub-techniques and is mitigated by registry permission restriction, privileged account management, operating system configuration, execution prevention, and software configuration. ATT&CK also maps use by Axiom and Shai-Hulud; this should be treated as threat-context enrichment, not proof of current activity in any environment. The most useful local work is to inventory where trust decisions are made, who can change them, and whether those changes generate actionable telemetry.

The official ATT&CK detection field for T1553 is not provided, and the supplied mitigation descriptions are high level. This take does not assert detection coverage, exploitation prevalence, customer exposure, or active campaigns. Local platform configuration, EDR/SIEM logging, application-control design, certificate governance, and administrative workflows are required to determine actual risk and coverage.

Official MITRE ATT&CK definition

Subvert Trust Controls

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.

Adversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct File and Directory Permissions Modification or Modify Registry in support of subverting these controls.[1] Adversaries may also create or steal code signing certificates to acquire trust on target systems.[2][3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

6 rows
Domain ID Name Relationship / procedure
Enterprise T1553.005 Mark-of-the-Web Bypass Sub-technique Mark-of-the-Web Bypass subtechnique of this object.
Enterprise T1553.002 Code Signing Sub-technique Code Signing subtechnique of this object.
Enterprise T1553.004 Install Root Certificate Sub-technique Install Root Certificate subtechnique of this object.
Enterprise T1553.003 SIP and Trust Provider Hijacking Sub-technique SIP and Trust Provider Hijacking subtechnique of this object.
Enterprise T1553.006 Code Signing Policy Modification Sub-technique Code Signing Policy Modification subtechnique of this object.
Enterprise T1553.001 Gatekeeper Bypass Sub-technique Gatekeeper Bypass subtechnique of this object.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0001: Axiom

Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.[1][2][3]

Malware Enterprise

S9008: Shai-Hulud

Shai-Hulud is a supply chain worm, first reported in September 2025, that spreads through code repositories, including GitHub and NPM packages. It exploits CI/CD pipeline dependencies to propagate to victims and poisons the supply chain by publishing malicious packages. Once inside a victim environment, Shai-Hulud steals credentials and access tokens from compromised repository accounts and exfiltrates them to attacker-controlled servers via encoded GitHub Actions workflows.[1][2][3][4][5][6][7]

LinuxSaaSWindows
Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1038: Execution Prevention Enterprise mitigates · Mitigation M1028: Operating System Configuration Enterprise subtechnique of · Technique T1553.005: Mark-of-the-Web Bypass Enterprise uses · Group G0001: Axiom Enterprise mitigates · Mitigation M1026: Privileged Account Management Enterprise uses · Malware S9008: Shai-Hulud Enterprise detects · Detection Strategy DET0452: Detect Subversion of Trust Controls via Certificate, Registry, and Attribute Manipulation Enterprise subtechnique of · Technique T1553.002: Code Signing Enterprise mitigates · Mitigation M1024: Restrict Registry Permissions Enterprise subtechnique of · Technique T1553.004: Install Root Certificate Enterprise subtechnique of · Technique T1553.003: SIP and Trust Provider Hijacking Enterprise subtechnique of · Technique T1553.006: Code Signing Policy Modification Enterprise subtechnique of · Technique T1553.001: Gatekeeper Bypass Enterprise mitigates · Mitigation M1054: Software Configuration Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1038: Execution Prevention

Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures:

Application Control:

- Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution. - Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml"`)

Script Blocking:

- Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources. - Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., `Set-ExecutionPolicy AllSigned`)

Executable Blocking:

- Use Case: Prevent execution of binaries from suspicious locations, such as `%TEMP%` or `%APPDATA%` directories. - Implementation: Block execution of `.exe`, `.bat`, or `.ps1` files from user-writable directories.

Dynamic Analysis Prevention: - Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time. - Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.

Mitigation Enterprise

M1028: Operating System Configuration

Operating System Configuration involves adjusting system settings and hardening the default configurations of an operating system (OS) to mitigate adversary exploitation and prevent abuse of system functionality. Proper OS configurations address security vulnerabilities, limit attack surfaces, and ensure robust defense against a wide range of techniques. This mitigation can be implemented through the following measures:

Disable Unused Features:

- Turn off SMBv1, LLMNR, and NetBIOS where not needed. - Disable remote registry and unnecessary services.

Enforce OS-level Protections:

- Enable Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG) on Windows. - Use AppArmor or SELinux on Linux for mandatory access controls.

Secure Access Settings:

- Enable User Account Control (UAC) for Windows. - Restrict root/sudo access on Linux/macOS and enforce strong permissions using sudoers files.

File System Hardening:

- Implement least-privilege access for critical files and system directories. - Audit permissions regularly using tools like icacls (Windows) or getfacl/chmod (Linux/macOS).

Secure Remote Access:

- Restrict RDP, SSH, and VNC to authorized IPs using firewall rules. - Enable NLA for RDP and enforce strong password/lockout policies.

Harden Boot Configurations:

- Enable Secure Boot and enforce UEFI/BIOS password protection. - Use BitLocker or LUKS to encrypt boot drives.

Regular Audits:

- Periodically audit OS configurations using tools like CIS Benchmarks or SCAP tools.

*Tools for Implementation*

Windows:

- Microsoft Group Policy Objects (GPO): Centrally enforce OS security settings. - Windows Defender Exploit Guard: Built-in OS protection against exploits. - CIS-CAT Pro: Audit Windows security configurations based on CIS Benchmarks.

Linux/macOS:

- AppArmor/SELinux: Enforce mandatory access controls. - Lynis: Perform comprehensive security audits. - SCAP Security Guide: Automate configuration hardening using Security Content Automation Protocol.

Cross-Platform:

- Ansible or Chef/Puppet: Automate configuration hardening at scale. - OpenSCAP: Perform compliance and configuration checks.

Mitigation Enterprise

M1026: Privileged Account Management

Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through the following measures:

Account Permissions and Roles:

- Implement RBAC and least privilege principles to allocate permissions securely. - Use tools like Active Directory Group Policies to enforce access restrictions.

Credential Security:

- Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials. - Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).

Multi-Factor Authentication (MFA):

- Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.

Privileged Access Management (PAM):

- Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.

Auditing and Monitoring:

- Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.

Just-In-Time Access:

- Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.

*Tools for Implementation*

Privileged Access Management (PAM):

- CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.

Credential Management:

- Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.

Multi-Factor Authentication:

- Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.

Linux Privilege Management:

- sudo configuration, SELinux, AppArmor.

Just-In-Time Access:

- Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.

Mitigation Enterprise

M1024: Restrict Registry Permissions

Restricting registry permissions involves configuring access control settings for sensitive registry keys and hives to ensure that only authorized users or processes can make modifications. By limiting access, organizations can prevent unauthorized changes that adversaries might use for persistence, privilege escalation, or defense evasion. This mitigation can be implemented through the following measures:

Review and Adjust Permissions on Critical Keys

- Regularly review permissions on keys such as `Run`, `RunOnce`, and `Services` to ensure only authorized users have write access. - Use tools like `icacls` or `PowerShell` to automate permission adjustments.

Enable Registry Auditing

- Enable auditing on sensitive keys to log access attempts. - Use Event Viewer or SIEM solutions to analyze logs and detect suspicious activity. - Example Audit Policy: `auditpol /set /subcategory:"Registry" /success:enable /failure:enable`

Protect Credential-Related Hives

- Limit access to hives like `SAM`,`SECURITY`, and `SYSTEM` to prevent credential dumping or other unauthorized access. - Use LSA Protection to add an additional security layer for credential storage.

Restrict Registry Editor Usage

- Use Group Policy to restrict access to regedit.exe for non-administrative users. - Block execution of registry editing tools on endpoints where they are unnecessary.

Deploy Baseline Configuration Tools

- Use tools like Microsoft Security Compliance Toolkit or CIS Benchmarks to apply and maintain secure registry configurations.

*Tools for Implementation*

Registry Permission Tools:

- Registry Editor (regedit): Built-in tool to manage registry permissions. - PowerShell: Automate permissions and manage keys. `Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "KeyName" -Value "Value"` - icacls: Command-line tool to modify ACLs.

Monitoring Tools:

- Sysmon: Monitor and log registry events. - Event Viewer: View registry access logs.

Policy Management Tools:

- Group Policy Management Console (GPMC): Enforce registry permissions via GPOs. - Microsoft Endpoint Manager: Deploy configuration baselines for registry permissions.

Mitigation Enterprise

M1054: Software Configuration

Software configuration refers to making security-focused adjustments to the settings of applications, middleware, databases, or other software to mitigate potential threats. These changes help reduce the attack surface, enforce best practices, and protect sensitive data. This mitigation can be implemented through the following measures:

Conduct a Security Review of Application Settings:

- Review the software documentation to identify recommended security configurations. - Compare default settings against organizational policies and compliance requirements.

Implement Access Controls and Permissions:

- Restrict access to sensitive features or data within the software. - Enforce least privilege principles for all roles and accounts interacting with the software.

Enable Logging and Monitoring:

- Configure detailed logging for key application events such as authentication failures, configuration changes, or unusual activity. - Integrate logs with a centralized monitoring solution, such as a SIEM.

Update and Patch Software Regularly:

- Ensure the software is kept up-to-date with the latest security patches to address known vulnerabilities. - Use automated patch management tools to streamline the update process.

Disable Unnecessary Features or Services:

- Turn off unused functionality or components that could introduce vulnerabilities, such as debugging interfaces or deprecated APIs.

Test Configuration Changes:

- Perform configuration changes in a staging environment before applying them in production. - Conduct regular audits to ensure that settings remain aligned with security policies.

*Tools for Implementation*

Configuration Management Tools:

- Ansible: Automates configuration changes across multiple applications and environments. - Chef: Ensures consistent application settings through code-based configuration management. - Puppet: Automates software configurations and audits changes for compliance.

Security Benchmarking Tools:

- CIS-CAT: Provides benchmarks and audits for secure software configurations. - Aqua Security Trivy: Scans containerized applications for configuration issues.

Vulnerability Management Solutions:

- Nessus: Identifies misconfigurations and suggests corrective actions.

Logging and Monitoring Tools:

- Splunk: Aggregates and analyzes application logs to detect suspicious activity.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
b2008d17df211edd...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle b2008d17df21…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    SpectorOps Subverting Trust Sept 2017

    Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018.

    Open source URL
  2. [2]
    Securelist Digital Certificates

    Ladikov, A. (2015, January 29). Why You Shouldn’t Completely Trust Files Signed with Digital Certificates. Retrieved March 31, 2016.

    Open source URL
  3. [3]
    Symantec Digital Certificates

    Shinotsuka, H. (2013, February 22). How Attackers Steal Private Keys from Digital Certificates. Retrieved March 31, 2016.

    Open source URL
  4. [4]
    mitre-attack T1553
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use