T1553: T1553

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1553
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:38
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Subvert Trust Controls

Platforms

windows macos linux

Description

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site. Adversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [Modify Registry](https://attack.mitre.org/techniques/T1112) in support of subverting these controls.(Citation: SpectorOps Subverting Trust Sept 2017) Adversaries may also create or steal code signing certificates to acquire trust on target systems.(Citation: Securelist Digital Certificates)(Citation: Symantec Digital Certificates)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

SpectorOps Subverting Trust Sept 2017
Securelist Digital Certificates
Symantec Digital Certificates
SpectorOps Code Signing Dec 2017
mitre-attack (T1553)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (51)

ScamClub uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Axiom uses Group 72

The MITRE Corporation Confidence 100

[Axiom](https://attack.mitre.org/groups/G0001) is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree…

First seen 01/01/1970 · Last seen 16/11/5138 ·
KNOTWEED uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Unknown uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CozyDuke uses IRON RITUALIRON HEMLOCK

The MITRE Corporation Confidence 100

[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Billbug uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Cuba uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Patchwork uses Hangover GroupChinastrats

The MITRE Corporation Confidence 100

[Patchwork](https://attack.mitre.org/groups/G0040) is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Ping3r and Rodrigo uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Gleaming Pisces uses UNC1720UNC4736

The MITRE Corporation Confidence 100

[AppleJeus](https://attack.mitre.org/groups/G1049) is a North Korean state-sponsored threat group attributed to the Reconnaissance General Bureau. Associated with the broader [Lazarus Group](https://attack.mitre.org/groups/G0032) umbrella of actors, [AppleJeus](https://attack.mitre.org/groups/G1049) has been active since…

First seen 01/01/1970 · Last seen 16/11/5138 ·
TEMP.Hermit uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Void Rabisu uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 51

FormBook uses

Family
PhantomJitter uses

Family
CloudMensis uses
Strigoi Master uses

Family
filecoauthx86.exe uses

Family
STAYSHANTE uses

Family
Babyk uses

Family
BlackCat uses
DcRAT uses

Family
WINTAPIX uses

Family
CollectionRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
ValleyRAT uses

Family

← Previous

Page / 12

1–12 of 134

Operation TaxShadow: Multi-Region Tax Phishing & In-Memory Malware … related

19 MITREs 5 Observables
FakeWallet crypto stealer spreading in the App Store related

AlienVault Confidence 100 23 MITREs 2 Malwares 53 IOCs 53 Observables
Illuminating VoidLink: Technical analysis of the VoidLink rootkit … related

18 MITREs 1 Malware 2 Observables
Analyzing the Current State of AI Use in … related

1 CVE 15 MITREs 2 Malwares 4 Observables
North Korean Lazarus Group Now Working With Medusa … related

20 MITREs 52 Observables 1 APT
UNC1069 Targets Cryptocurrency Sector with New Tooling and … related

12 MITREs 15 Observables 1 APT
Cryptocurrency Sector Targeted with New Tooling and AI-Enabled … related

12 MITREs 15 Observables 1 APT
AI-Automated Threat Hunting Brings GhostPenguin Out of the … related

17 MITREs 1 Malware 2 Observables
New Tomiris tools and techniques: multiple reverse shells, … related

17 MITREs 16 Malwares 66 Observables 1 APT
Contagious Interview Actors Now Utilize JSON Storage Services … related

15 MITREs 4 Malwares 84 Observables 1 APT
Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech … related

12 MITREs 1 Malware 12 Observables 1 APT
Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech … related

12 MITREs 1 Malware 12 Observables 1 APT

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (44)

CVE-2021-31201 KEV targets

Microsoft Enhanced Cryptographic Provider contains an unspecified vulnerability that allows for privilege escalation.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2020-1472 KEV targets

5.5 Medium

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …

Attack vector: Local
Published: 03/11/2021
Modified: 27/05/2026

CVE-2024-21887 KEV targets

9.1 Critical

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2023-20273 KEV targets

7.2 High

Cisco IOS XE contains a command injection vulnerability in the web user interface. When chained with CVE-2023-20198, the attacker can leverage the …

Attack vector: Network
Published: 23/10/2023
Modified: 21/12/2025

CVE-2024-38193 KEV targets

7.8 High

Microsoft Windows Ancillary Function Driver for WinSock contains an unspecified vulnerability that allows for privilege escalation, enabling a local attacker to gain …

Attack vector: Local
Published: 13/08/2024
Modified: 21/12/2025

Received

CVE-2024-38196 targets

7.8 High

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Attack vector: LOCAL
Published: 13/08/2024
Modified: 21/12/2025

Received

CVE-2022-2204 targets

Published: 20/12/2025
Modified: 20/12/2025

CVE-2015-2051 KEV targets

8.8 High

D-Link DIR-645 Wired/Wireless Router allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface.

Attack vector: Adjacent
Complexity: LOW
Published: 23/02/2015
Modified: 22/04/2026

CWE-77

CVE-2017-0199 KEV targets

7.8 High

Microsoft Office and WordPad contain an unspecified vulnerability due to the way the applications parse specially crafted files. Successful exploitation allows for …

Attack vector: LOCAL
Complexity: LOW
Published: 12/04/2017
Modified: 22/04/2026

CVE-2022-42475 KEV targets

9.8 Critical

Multiple versions of Fortinet FortiOS SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute arbitrary …

Attack vector: Network
Published: 13/12/2022
Modified: 20/12/2025

CVE-2024-5274 KEV targets

9.6 Critical

Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to execute code via a crafted HTML page. This …

Attack vector: Network
Published: 28/05/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2021-31199 KEV targets

Microsoft Enhanced Cryptographic Provider contains an unspecified vulnerability that allows for privilege escalation.

Published: 03/11/2021
Modified: 20/12/2025

← Previous

Page / 4

13–24 of 44

T1553.005 subtechnique-of

Mark-of-the-Web Bypass MITRE
T1553.004 subtechnique-of

Install Root Certificate MITRE

Course Of Action (2)

Restrict Registry Permissions mitigates
Privileged Account Management mitigates

Contact About Legal notice Privacy policy Terms of use

T1553: T1553

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (51)

Malware (134)

Reports (50)

Vulnerabilities (CVE) (44)

Attack patterns (MITRE) (2)

Course Of Action (2)