T1553: T1553

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 05/02/2020 15:54 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1553
Confidence: 100/100
Revoked: No
Published: 05/02/2020 15:54
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Subvert Trust Controls

Platforms

windows macos linux

Description

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site. Adversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [Modify Registry](https://attack.mitre.org/techniques/T1112) in support of subverting these controls.(Citation: SpectorOps Subverting Trust Sept 2017) Adversaries may also create or steal code signing certificates to acquire trust on target systems.(Citation: Securelist Digital Certificates)(Citation: Symantec Digital Certificates)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

SpectorOps Subverting Trust Sept 2017
Securelist Digital Certificates
Symantec Digital Certificates
SpectorOps Code Signing Dec 2017
mitre-attack (T1553)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (50)

Agenda related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Agrius related Pink SandstormAMERICIUM

The MITRE Corporation Confidence 100

[Agrius](https://attack.mitre.org/groups/G1030) is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets.(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Bloody Wolf related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CL0P related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CNC related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Calisto related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Contagious Interview related Gwisin GangTAG-121

The MITRE Corporation Confidence 100

[Contagious Interview](https://attack.mitre.org/groups/G1052) is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials.…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Danabot related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
EXOTIC LILY related

The MITRE Corporation Confidence 100

[EXOTIC LILY](https://attack.mitre.org/groups/G1011) is a financially motivated group that has been closely linked with [Wizard Spider](https://attack.mitre.org/groups/G0102) and the deployment of ransomware including [Conti](https://attack.mitre.org/software/S0575) and [Diavol](https://attack.mitre.org/software/S0659). [EXOTIC LILY](https://attack.mitre.org/groups/G1011) may be…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Goldoon related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Grandoreiro related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Head Mare and Twelve related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

13–24 of 50

qaxreporter.exe uses

Family
SparkDownloader uses

Family
Remcos uses

Family
MacStealer uses
HiddenAds uses
Koredos uses

Family
PoisonIvy uses
WinWebDown uses

Family
Tomiris Python Telegram ReverseShell uses

Family
SIDESHOW uses
Realst uses

Family
Redline uses

Family

← Previous

Page / 8

13–24 of 85

Operation SouthNet: SideWinder Expands Phishing and Malware Operations … related

21 MITREs 4 Malwares 1 APT
Rhadamanthys 0.9.x - walk through the updates related

18 MITREs 51 Observables
Beyond Signatures: Detecting Lumma Stealer with an ML-Powered … related

9 MITREs 1 Malware 1 Observable
Technical Analysis of Zloader Updates related

14 MITREs 1 Malware
Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide … related

6 CVEs 31 MITREs 92 Observables 1 APT
Raspberry Robin: Latest Updates and Improvements related

1 CVE 15 MITREs 2 Malwares 121 Observables 1 APT
Backdoor implant discovered on PyPI posing as debugging … related

12 MITREs 2 Malwares 1 APT
Grandoreiro Stealer Targeting Spain and Latin America: Malware … related

18 MITREs 1 Malware 1 APT
BeaverTail and Tropidoor Malware Distributed via Recruitment Emails related

19 MITREs 4 Malwares 6 Observables 1 APT
Threat actors leverage tax season to deploy tax-themed … related

15 MITREs 5 Malwares 1 APT
New Ransomware Operator Exploits Fortinet Vulnerability Duo related

17 MITREs 2 Malwares 23 Observables 1 APT
Head Mare and Twelve: Joint attacks on Russian … related

25 MITREs 6 Malwares 1 APT

← Previous

Page / 5

13–24 of 50

Vulnerabilities (CVE) (44)

CVE-2024-7344 targets

8.2 High

Howyar UEFI Application "Reloader" (32-bit and 64-bit) is vulnerable to execution of unsigned software in a hardcoded path.

Attack vector: LOCAL
Published: 14/01/2025
Modified: 21/12/2025

Analyzed

CVE-2024-7971 KEV targets

9.6 Critical

Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to exploit heap corruption via a crafted HTML page. …

Attack vector: Network
Published: 26/08/2024
Modified: 21/12/2025

Analyzed

CVE-2024-3400 KEV targets

10.0 Critical

Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …

Attack vector: Network
Published: 12/04/2024
Modified: 21/12/2025

CVE-2022-22047 KEV targets

Microsoft Windows CSRSS contains an unspecified vulnerability that allows for privilege escalation to SYSTEM privileges.

Published: 12/07/2022
Modified: 20/12/2025

CVE-2022-30190 KEV targets

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An …

Published: 14/06/2022
Modified: 27/05/2026

CVE-2023-20198 KEV targets

10.0 Critical

Cisco IOS XE Web UI contains a privilege escalation vulnerability in the web user interface that could allow a remote, unauthenticated attacker …

Attack vector: Network
Published: 16/10/2023
Modified: 21/12/2025

CVE-2017-11882 KEV targets

7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector: Local
Complexity: Low
Published: 15/11/2017
Modified: 29/05/2026

CWE-119

CVE-2022-41040 KEV targets

8.8 High

Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.

Attack vector: Network
Published: 30/09/2022
Modified: 20/12/2025

CVE-2019-0604 KEV targets

Microsoft SharePoint fails to check the source markup of an application package. An attacker who successfully exploits the vulnerability could run remote …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2024-21338 KEV targets

7.8 High

Microsoft Windows Kernel contains an exposed IOCTL with insufficient access control vulnerability within the IOCTL (input and output control) dispatcher in appid.sys …

Attack vector: Local
Published: 04/03/2024
Modified: 21/12/2025

CVE-2024-3094 targets

10.0 Critical

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma …

Attack vector: NETWORK
Published: 29/03/2024
Modified: 21/12/2025

CVE-2019-0803 KEV targets

Microsoft Win32k contains an unspecified vulnerability due to it failing to properly handle objects in memory causing privilege escalation. Successful exploitation allows …

Published: 03/11/2021
Modified: 21/12/2025

← Previous

Page / 4

1–12 of 44

T1553.005 subtechnique-of

Mark-of-the-Web Bypass MITRE
T1553.004 subtechnique-of

Install Root Certificate MITRE

Course Of Action (2)

Restrict Registry Permissions mitigates
Privileged Account Management mitigates

Contact About Legal notice Privacy policy Terms of use

T1553: T1553

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (50)

Malware (85)

Reports (50)

Vulnerabilities (CVE) (44)

Attack patterns (MITRE) (2)

Course Of Action (2)