T1553: T1553

Search IOCs, vulnerabilities, APT…

216.73.217.22

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1553
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:38
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Subvert Trust Controls

Platforms

windows macos linux

Description

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site. Adversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [Modify Registry](https://attack.mitre.org/techniques/T1112) in support of subverting these controls.(Citation: SpectorOps Subverting Trust Sept 2017) Adversaries may also create or steal code signing certificates to acquire trust on target systems.(Citation: Securelist Digital Certificates)(Citation: Symantec Digital Certificates)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

SpectorOps Subverting Trust Sept 2017
Securelist Digital Certificates
Symantec Digital Certificates
SpectorOps Code Signing Dec 2017
mitre-attack (T1553)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (51)

ScamClub uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Axiom uses Group 72

The MITRE Corporation Confidence 100

[Axiom](https://attack.mitre.org/groups/G0001) is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree…

First seen 01/01/1970 · Last seen 16/11/5138 ·
KNOTWEED uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Unknown uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CozyDuke uses IRON RITUALIRON HEMLOCK

The MITRE Corporation Confidence 100

[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Billbug uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Cuba uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Patchwork uses Hangover GroupChinastrats

The MITRE Corporation Confidence 100

[Patchwork](https://attack.mitre.org/groups/G0040) is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Ping3r and Rodrigo uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Gleaming Pisces uses UNC1720UNC4736

The MITRE Corporation Confidence 100

[AppleJeus](https://attack.mitre.org/groups/G1049) is a North Korean state-sponsored threat group attributed to the Reconnaissance General Bureau. Associated with the broader [Lazarus Group](https://attack.mitre.org/groups/G0032) umbrella of actors, [AppleJeus](https://attack.mitre.org/groups/G1049) has been active since…

First seen 01/01/1970 · Last seen 16/11/5138 ·
TEMP.Hermit uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Void Rabisu uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 51

FormBook uses

Family
PhantomJitter uses

Family
CloudMensis uses
Strigoi Master uses

Family
filecoauthx86.exe uses

Family
STAYSHANTE uses

Family
Babyk uses

Family
BlackCat uses
DcRAT uses

Family
WINTAPIX uses

Family
CollectionRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
ValleyRAT uses

Family

← Previous

Page / 12

1–12 of 134

Operation SouthNet: SideWinder Expands Phishing and Malware Operations … related

21 MITREs 4 Malwares 1 APT
Rhadamanthys 0.9.x - walk through the updates related

18 MITREs 51 Observables
Beyond Signatures: Detecting Lumma Stealer with an ML-Powered … related

9 MITREs 1 Malware 1 Observable
Technical Analysis of Zloader Updates related

14 MITREs 1 Malware
Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide … related

6 CVEs 31 MITREs 92 Observables 1 APT
Raspberry Robin: Latest Updates and Improvements related

1 CVE 15 MITREs 2 Malwares 121 Observables 1 APT
Backdoor implant discovered on PyPI posing as debugging … related

12 MITREs 2 Malwares 1 APT
Grandoreiro Stealer Targeting Spain and Latin America: Malware … related

18 MITREs 1 Malware 1 APT
BeaverTail and Tropidoor Malware Distributed via Recruitment Emails related

19 MITREs 4 Malwares 6 Observables 1 APT
Threat actors leverage tax season to deploy tax-themed … related

15 MITREs 5 Malwares 1 APT
New Ransomware Operator Exploits Fortinet Vulnerability Duo related

17 MITREs 2 Malwares 23 Observables 1 APT
Head Mare and Twelve: Joint attacks on Russian … related

25 MITREs 6 Malwares 1 APT

← Previous

Page / 5

13–24 of 50

Vulnerabilities (CVE) (44)

CVE-2024-7344 targets

8.2 High

Howyar UEFI Application "Reloader" (32-bit and 64-bit) is vulnerable to execution of unsigned software in a hardcoded path.

Attack vector: LOCAL
Published: 14/01/2025
Modified: 21/12/2025

Analyzed

CVE-2024-7971 KEV targets

9.6 Critical

Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to exploit heap corruption via a crafted HTML page. …

Attack vector: Network
Published: 26/08/2024
Modified: 21/12/2025

Analyzed

CVE-2024-3400 KEV targets

10.0 Critical

Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …

Attack vector: Network
Published: 12/04/2024
Modified: 21/12/2025

CVE-2022-22047 KEV targets

Microsoft Windows CSRSS contains an unspecified vulnerability that allows for privilege escalation to SYSTEM privileges.

Published: 12/07/2022
Modified: 20/12/2025

CVE-2022-30190 KEV targets

A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An …

Published: 14/06/2022
Modified: 27/05/2026

CVE-2023-20198 KEV targets

10.0 Critical

Cisco IOS XE Web UI contains a privilege escalation vulnerability in the web user interface that could allow a remote, unauthenticated attacker …

Attack vector: Network
Published: 16/10/2023
Modified: 21/12/2025

CVE-2017-11882 KEV targets

7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector: Local
Complexity: Low
Published: 15/11/2017
Modified: 29/05/2026

CWE-119

CVE-2022-41040 KEV targets

8.8 High

Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.

Attack vector: Network
Published: 30/09/2022
Modified: 20/12/2025

CVE-2019-0604 KEV targets

Microsoft SharePoint fails to check the source markup of an application package. An attacker who successfully exploits the vulnerability could run remote …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2024-21338 KEV targets

7.8 High

Microsoft Windows Kernel contains an exposed IOCTL with insufficient access control vulnerability within the IOCTL (input and output control) dispatcher in appid.sys …

Attack vector: Local
Published: 04/03/2024
Modified: 21/12/2025

CVE-2024-3094 targets

10.0 Critical

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma …

Attack vector: NETWORK
Published: 29/03/2024
Modified: 21/12/2025

CVE-2019-0803 KEV targets

Microsoft Win32k contains an unspecified vulnerability due to it failing to properly handle objects in memory causing privilege escalation. Successful exploitation allows …

Published: 03/11/2021
Modified: 21/12/2025

← Previous

Page / 4

1–12 of 44

T1553.005 subtechnique-of

Mark-of-the-Web Bypass MITRE
T1553.004 subtechnique-of

Install Root Certificate MITRE

Course Of Action (2)

Restrict Registry Permissions mitigates
Privileged Account Management mitigates

Contact About Legal notice Privacy policy Terms of use

T1553: T1553

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (51)

Malware (134)

Reports (50)

Vulnerabilities (CVE) (44)

Attack patterns (MITRE) (2)

Course Of Action (2)