T1553: Subvert Trust Controls

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.

Adversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct File and Directory Permissions Modification or Modify Registry in support of subverting these controls. Adversaries may also create or steal code signing certificates to acquire trust on target systems.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mssql_database: PT-CR-414: MSSQL_Enable_Nonsecure_Property: An attempt to enable a potentially insecure property of a database

Subtechniques

Expert Required. The technique is detected only with the combination of «PT Product + Expert»

Detection

IDDS0011Data source and componentModule: Module LoadDescription

Enable CryptoAPI v2 (CAPI) event logging  to monitor and analyze error events related to failed trust validation (Event ID 81, though this event can be subverted by hijacked trust provider components) as well as any other provided information events (ex: successful validations). Code Integrity event logging may also provide valuable indicators of malicious SIP or trust provider loads, since protected processes that attempt to load a maliciously-crafted trust validation component will likely fail (Event ID 3033).

IDDS0024Data source and componentWindows Registry: Windows Registry Key CreationDescription

Monitoring the creation of (sub)keys within the Windows Registry may reveal malicious attempts to modify trust settings, such as the installation of root certificates. Installed root certificates are located in the Registry under HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates</code> and [HKLM or HKCU]\Software[\Policies]\Microsoft\SystemCertificates\Root\Certificates</code>. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison: 

  • 18F7C1FCC3090203FD5BAA2F861A754976C8DD25
  • 245C97DF7514E7CF2DF8BE72AE957B9E04741E85
  • 3B1EFD3A66EA28B16697394703A72CA340A05BD5
  • 7F88CD7223F3C813818C994614A89C99FA3B5247
  • 8F43288AD272F3103B6FB1428485EA3014C0BCFE
  • A43489159A520F0D93D032CCAF37E7FE20A8B419
  • BE36A4562FB2EE05DBB3D32323ADF445084ED656
  • CDD4EEAE6000AC7F40C3802C171E30148030C072
IDDS0024Data source and componentWindows Registry: Windows Registry Key ModificationDescription

Monitoring changes to the Windows Registry may reveal malicious attempts to modify trust settings, such as the installation of root certificates. Installed root certificates are located in the Registry under HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates</code> and [HKLM or HKCU]\Software[\Policies]\Microsoft\SystemCertificates\Root\Certificates</code>. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison:  Also consider enabling the Registry Global Object Access Auditing  setting in the Advanced Security Audit policy to apply a global system access control list (SACL) and event auditing on modifications to Registry values (sub)keys related to SIPs and trust providers:

IDDS0022Data source and componentFile: File MetadataDescription

Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Command monitoring may reveal malicious attempts to modify trust settings, such as the installation of root certificates or modifications to trust attributes/policies applied to files.

IDDS0009Data source and componentProcess: Process CreationDescription

Monitor processes and arguments for malicious attempts to modify trust settings, such as the installation of root certificates or modifications to trust attributes/policies applied to files.

IDDS0022Data source and componentFile: File ModificationDescription

Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries. Also analyze Autoruns data for oddities and anomalies, specifically malicious files attempting persistent execution by hiding within auto-starting locations. Autoruns will hide entries signed by Microsoft or Windows by default, so ensure “Hide Microsoft Entries” and “Hide Windows Entries” are both deselected.

On macOS, the removal of the com.apple.quarantine flag by a user instead of the operating system is a suspicious action and should be examined further. Also monitor software update frameworks that may strip this flag when performing updates.

Mitigation

IDM1024NameRestrict Registry PermissionsDescription

Ensure proper permissions are set for Registry hives to prevent users from modifying keys related to SIP and trust provider components. Components may still be able to be hijacked to suitable functions already present on disk if malicious modifications to Registry keys are not prevented.

IDM1026NamePrivileged Account ManagementDescription

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

IDM1028NameOperating System ConfigurationDescription

Windows Group Policy can be used to manage root certificates and the Flags value of HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots can be set to 1 to prevent non-administrator users from making further root installations into their own HKCU certificate store.

IDM1038NameExecution PreventionDescription

System settings can prevent applications from running that haven't been downloaded through the Apple Store (or other legitimate repositories) which can help mitigate some of these issues. Also enable application control solutions such as AppLocker and/or Device Guard to block the loading of malicious content.

IDM1054NameSoftware ConfigurationDescription

HTTP Public Key Pinning (HPKP) is one method to mitigate potential Adversary-in-the-Middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate.