T1553: T1553

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 05/02/2020 15:54 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1553
Confidence: 100/100
Revoked: No
Published: 05/02/2020 15:54
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Subvert Trust Controls

Platforms

windows macos linux

Description

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site. Adversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [Modify Registry](https://attack.mitre.org/techniques/T1112) in support of subverting these controls.(Citation: SpectorOps Subverting Trust Sept 2017) Adversaries may also create or steal code signing certificates to acquire trust on target systems.(Citation: Securelist Digital Certificates)(Citation: Symantec Digital Certificates)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

SpectorOps Subverting Trust Sept 2017
Securelist Digital Certificates
Symantec Digital Certificates
SpectorOps Code Signing Dec 2017
mitre-attack (T1553)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (50)

ScamClub uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Axiom uses Group 72

The MITRE Corporation Confidence 100

[Axiom](https://attack.mitre.org/groups/G0001) is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree…

First seen 01/01/1970 · Last seen 16/11/5138 ·
KNOTWEED uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Unknown uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CozyDuke uses IRON RITUALIRON HEMLOCK

The MITRE Corporation Confidence 100

[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Billbug uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Cuba uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Patchwork uses Hangover GroupChinastrats

The MITRE Corporation Confidence 100

[Patchwork](https://attack.mitre.org/groups/G0040) is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Ping3r and Rodrigo uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Gleaming Pisces uses UNC1720UNC4736

The MITRE Corporation Confidence 100

[AppleJeus](https://attack.mitre.org/groups/G1049) is a North Korean state-sponsored threat group attributed to the Reconnaissance General Bureau. Associated with the broader [Lazarus Group](https://attack.mitre.org/groups/G0032) umbrella of actors, [AppleJeus](https://attack.mitre.org/groups/G1049) has been active since…

First seen 01/01/1970 · Last seen 16/11/5138 ·
TEMP.Hermit uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-C-26 (Lazarus) related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 50

FormBook uses

Family
PhantomJitter uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CloudMensis uses
Strigoi Master uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
filecoauthx86.exe uses

Family
STAYSHANTE uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Babyk uses

Family
BlackCat uses
DcRAT uses

Family
WINTAPIX uses

Family
CollectionRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
ValleyRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 8

1–12 of 85

Operation TaxShadow: Multi-Region Tax Phishing & In-Memory Malware … related

19 MITREs 5 Observables
FakeWallet crypto stealer spreading in the App Store related

AlienVault Confidence 100 23 MITREs 2 Malwares 53 IOCs 53 Observables
Illuminating VoidLink: Technical analysis of the VoidLink rootkit … related

18 MITREs 1 Malware 2 Observables
Analyzing the Current State of AI Use in … related

1 CVE 15 MITREs 2 Malwares 4 Observables
North Korean Lazarus Group Now Working With Medusa … related

20 MITREs 52 Observables 1 APT
UNC1069 Targets Cryptocurrency Sector with New Tooling and … related

12 MITREs 15 Observables 1 APT
Cryptocurrency Sector Targeted with New Tooling and AI-Enabled … related

12 MITREs 15 Observables 1 APT
AI-Automated Threat Hunting Brings GhostPenguin Out of the … related

17 MITREs 1 Malware 2 Observables
New Tomiris tools and techniques: multiple reverse shells, … related

17 MITREs 16 Malwares 66 Observables 1 APT
Contagious Interview Actors Now Utilize JSON Storage Services … related

15 MITREs 4 Malwares 84 Observables 1 APT
Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech … related

12 MITREs 1 Malware 12 Observables 1 APT
Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech … related

12 MITREs 1 Malware 12 Observables 1 APT

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (44)

CVE-2018-13379 KEV targets

Fortinet FortiOS SSL VPN web portal contains a path traversal vulnerability that may allow an unauthenticated attacker to download FortiOS system files …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2021-28550 KEV targets

Adobe Acrobat and Reader contains a use-after-free vulnerability that could allow an unauthenticated attacker to achieve code execution in the context of …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2023-46805 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways contain an authentication bypass vulnerability in the …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2021-34473 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution.

Published: 03/11/2021
Modified: 29/05/2026

CVE-2021-33766 KEV targets

Microsoft Exchange Server contains an information disclosure vulnerability which can allow an unauthenticated attacker to steal email traffic from target.

Published: 18/01/2022
Modified: 20/12/2025

CVE-2022-27997 targets

Published: 20/12/2025
Modified: 21/12/2025

CVE-2018-8120 KEV targets

A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory.

Published: 15/03/2022
Modified: 21/12/2025

CVE-2026-0628 targets

8.8 High

Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a …

Attack vector: NETWORK
Published: 07/01/2026
Modified: 09/03/2026

Undergoing Analysis

CVE-2023-42793 KEV targets

9.8 Critical

JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server.

Attack vector: Network
Published: 04/10/2023
Modified: 29/05/2026

CVE-2019-1458 KEV targets

A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k EoP.

Published: 10/01/2022
Modified: 20/12/2025

CVE-2021-21551 KEV targets

Dell dbutil driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial-of-service (DoS), or information disclosure.

Published: 31/03/2022
Modified: 29/05/2026

CVE-2021-36948 KEV targets

Microsoft Windows Update Medic Service contains an unspecified vulnerability that allows for privilege escalation.

Published: 03/11/2021
Modified: 20/12/2025

← Previous

Page / 4

25–36 of 44

T1553.005 subtechnique-of

Mark-of-the-Web Bypass MITRE
T1553.004 subtechnique-of

Install Root Certificate MITRE

Course Of Action (2)

Restrict Registry Permissions mitigates
Privileged Account Management mitigates

Contact About Legal notice Privacy policy Terms of use

T1553: T1553

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (50)

Malware (85)

Reports (50)

Vulnerabilities (CVE) (44)

Attack patterns (MITRE) (2)

Course Of Action (2)