Subvert Trust Controls T1553

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.

Events covered

17 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 38 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (26 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
EventID8eq 823, 400, 4103, 4104, 4663
Image8ends_with 5, eq 1, in 1, starts_with 1\certutil.exe, *\\ai_stubs\\aistubx64.exe, *\\ai_stubs\\aistubx64elevated.exe, *\\ai_stubs\\aistubx86.exe, \ai_stubs\aistubx64.exe
OriginalFileName6eq 6popupwrapper.exe, bcdedit.exe, boinc.exe, certmgt.exe, certutil.exe
CommandLine5contains 5root, -filepath , -addstore, -dspublish, .crt
Details5contains 2, eq 2, ends_with 1.dll, (empty), 0, 0x00000000, 0x00000001
ScriptBlockText5contains 5-imagepath , ):\, -path , .driveletter, 884e2002-217d-11da-b2a4-000e7bbb2b09
TargetObject5contains 3, wildcard 2, ends_with 1*\software\microsoft\cryptography\oid\encodingtype..., *\software\microsoft\cryptography\providers\trust\finalpo..., *\software\wow6432node\microsoft\cryptography\oid\encodin..., \$dll, \cryptsipdll
event.type5eq 5change, start
registry_value_name5eq 4, in 1Blob, Dll, $DLL, $Dll, BehaviorOnFailedVerify
process_name3eq 3agentactivationruntimestarter.exe, agentservice.exe, aggregatorhost.exe, bcdedit.exe, certutil.exe
Flags2eq 28388608
HasFullTrust2eq 2true
TargetFilename2ends_with 1, match 1(?i)\x5cdevice\x5ccdrom, :zone.identifier
registry_path2contains 1, in 1*\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType*, *\\SOFTWARE\\Microsoft\\Cryptography\\Providers\\*, *\\SOFTWARE\\WOW6432Node\\Microsoft\\Cryptography\\OID\\E..., \\certificates\\
CallingProcess1starts_with 1svchost.exe,AppReadiness, sysprep.exe

Top indicator values (779 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
change
346
event.typeeq
start
2241
CommandLinecontains
root
23
CommandLinecontains
-filepath
1
CommandLinecontains
-addstore
12
CommandLinecontains
-dspublish
1
CommandLinecontains
.crt
1
Flagseq
8388608
22
HasFullTrusteq
true
22
Imageends_with
\certutil.exe
244
OriginalFileNameeq
popupwrapper.exe
22
ScriptBlockTextcontains
-imagepath
22
ScriptBlockTextcontains
mount-diskimage
22
TargetObjectcontains
\software\microsoft\cryptography\oid\encodingtype
22
TargetObjectcontains
\software\microsoft\cryptography\providers\
22
TargetObjectcontains
\software\wow6432node\microsoft\cryptography\oid\encodingtype
22
TargetObjectcontains
\software\wow6432node\microsoft\cryptography\providers\
22
process_nameeq
bcdedit.exe
27
process_nameeq
certutil.exe
222
process_nameeq
cmd.exe
275
process_nameeq
cscript.exe
222
process_nameeq
expand.exe
24
process_nameeq
mshta.exe
228
process_nameeq
regsvr32.exe
223
process_nameeq
rundll32.exe
255
process_nameeq
wscript.exe
226
process_nameeq
xcopy.exe
23
registry_value_nameeq
Blob
22
CallingProcessstarts_with
svchost.exe,AppReadiness
1
CallingProcessstarts_with
sysprep.exe
1

Exclusions (85 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
Detailseq
WINTRUST.DLL
2
Detailseq
mso.dll
2
Detailseq
C:\Windows\System32\PsfSip.dll
1
Imagewildcard
?:\windows\ccm\ccmexec.exe
2
Imagewildcard
?:\$windows.~bt\newos\windows\system32\ie4ushowie.exe
1
Imagewildcard
?:\program files (x86)\*.exe
1
Imagewildcard
?:\program files (x86)\axence\nvision agent 2\nss\certutil.exe
1
Imagewildcard
?:\program files\*.exe
1
Imagewildcard
?:\program files\git\usr\bin\find.exe
1
CallingProcessstarts_with
svchost.exe,AppReadiness
1
CallingProcessstarts_with
sysprep.exe
1
Detailscontains
(empty)
1
Imageends_with
\boinc.exe
1
Imageeq
c:\windows\system32\poqexec.exe
1
Imagestarts_with
c:\windows\installer\razer\installer\
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 21 rules

Elastic 6 rules

Splunk 11 rules