Subvert Trust Controls

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.

Adversaries may attempt to subvert these trust mechanisms by creating or stealing code signing certificates to acquire trust on target systems.[1][2][3]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers. Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries. [4] A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity.[5]

Analyze Autoruns data for oddities and anomalies, specifically malicious files attempting persistent execution by hiding within auto-starting locations. Autoruns will hide entries signed by Microsoft or Windows by default, so ensure "Hide Microsoft Entries" and "Hide Windows Entries" are both deselected.[4]

Monitor and investigate attempts to modify extended file attributes with utilities such as xattr. Built-in system utilities may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.

References

Attachments

ID
VT0016
MITRE ID
Sub-techniques
Tactic
Defense Evasion
Platforms
Linux
Windows
macOS
Data Sources
API monitoring
Application logs
Binary file metadata
DLL monitoring
File monitoring
Loaded DLLs
Process command-line parameters
Process monitoring
Windows Registry
Windows event logs
Defense Bypassed
Anti-virus, Application control, Autoruns Analysis, Digital Certificate Validation, Process whitelisting, User Mode Signature Validation, Windows User Account Control
Version
1.0

Created: 21 December 2020

Last Modified: 21 December 2020