Which SIEM platforms have a T1553 detection rule?

df00tech provides T1553 (Subvert Trust Controls) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1553 detection?

The T1553 detection is rated high severity with medium confidence.

What are common false positives for T1553?

Common false positives for T1553 include: Enterprise PKI administrators legitimately adding internal CA certificates to ROOT or TRUSTEDPUBLISHER stores via certutil; Software developers using signtool.exe to sign their own applications during build processes; IT administrators using Unblock-File or removing Zone.Identifier from files downloaded from trusted internal shares.

T1553

Subvert Trust Controls

Q: What data sources are required to detect Subvert Trust Controls (T1553)?

Detecting Subvert Trust Controls requires the following data sources: Process: Process Creation, Command: Command Execution, Windows Registry: Registry Key Modification, Microsoft Defender for Endpoint.

Defense Evasion Last updated: April 13, 2026

Adversaries may undermine security controls that warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products contain mechanisms to identify programs or websites as possessing some level of trust, such as code signing certificates, Mark-of-the-Web (MOTW) attributes, Gatekeeper on macOS, or SIP and Trust Provider validation on Windows. Adversaries attempt to subvert these trust mechanisms through techniques including code signing certificate theft or forgery, MOTW removal, root certificate installation, SIP/Trust Provider hijacking, and Gatekeeper bypass. The method used depends on the specific mechanism being subverted.

What is T1553 Subvert Trust Controls?

Subvert Trust Controls (T1553) maps to the Defense Evasion tactic — the adversary is trying to avoid being detected in MITRE ATT&CK.

This page provides production-ready detection logic for Subvert Trust Controls, covering the data sources and telemetry it touches: Process: Process Creation, Command: Command Execution, Windows Registry: Registry Key Modification, Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Defense Evasion
Technique: T1553 Subvert Trust Controls
Canonical reference: https://attack.mitre.org/techniques/T1553/

Microsoft Sentinel / Defender

kusto

let SuspiciousCertOps = dynamic(["certutil", "certmgr", "certreq", "makecert", "pvk2pfx", "signtool"]);
let RootCertPaths = dynamic(["ROOT", "TRUSTEDPUBLISHER", "TRUSTEDPEOPLE", "AUTHROOT"]);
let MotwRemovalPatterns = dynamic(["Zone.Identifier", ":Zone.Identifier", "Unblock-File", "ZoneId"]);
// Branch 1: Certificate store manipulation via certutil
let CertutilOps = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "certutil.exe"
| where ProcessCommandLine has_any ("-addstore", "-delstore", "-importpfx", "-user -addstore", "-enterprise", "-f -addstore")
| extend DetectionBranch = "CertStore_Manipulation"
| extend SuspicionScore = case(
    ProcessCommandLine has "-addstore" and ProcessCommandLine has_any ("ROOT", "AUTHROOT", "TRUSTEDPUBLISHER"), 3,
    ProcessCommandLine has "-importpfx", 2,
    ProcessCommandLine has "-addstore", 1,
    1);
// Branch 2: MOTW removal or ADS deletion
let MotwRemoval = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName =~ "powershell.exe" or FileName =~ "pwsh.exe" or FileName =~ "cmd.exe")
| where ProcessCommandLine has_any (MotwRemovalPatterns)
| extend DetectionBranch = "MOTW_Removal"
| extend SuspicionScore = case(
    ProcessCommandLine has "Unblock-File", 2,
    ProcessCommandLine has "Zone.Identifier" and ProcessCommandLine has_any ("del", "remove", "erase", "Set-Content"), 3,
    1);
// Branch 3: Registry modifications to trust providers or authenticode
let TrustRegistryMod = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (
    "SOFTWARE\\Microsoft\\Cryptography\\OID",
    "SOFTWARE\\Microsoft\\Cryptography\\Providers",
    "SOFTWARE\\Policies\\Microsoft\\SystemCertificates",
    "SOFTWARE\\Microsoft\\EnterpriseCertificates",
    "SYSTEM\\CurrentControlSet\\Control\\SecurityProviders"
  )
| where ActionType in~ ("RegistryValueSet", "RegistryKeyCreated")
| extend DetectionBranch = "Trust_Registry_Modification"
| extend SuspicionScore = 2
| project Timestamp, DeviceName, AccountName,
    FileName = InitiatingProcessFileName,
    ProcessCommandLine = InitiatingProcessCommandLine,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    DetectionBranch, SuspicionScore;
// Branch 4: Signed binary proxy / catalog hijacking
let SigToolUsage = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "signtool.exe"
| extend DetectionBranch = "Signtool_Usage"
| extend SuspicionScore = case(
    ProcessCommandLine has "sign" and ProcessCommandLine has "/fd", 2,
    1);
// Union all branches
let ProcessAlerts = union CertutilOps, MotwRemoval, SigToolUsage
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         DetectionBranch, SuspicionScore;
union ProcessAlerts, TrustRegistryMod
| where SuspicionScore >= 1
| sort by SuspicionScore desc, Timestamp desc

Detects attempts to subvert Windows trust controls across four detection branches: (1) certutil manipulating certificate stores including root/trusted publisher stores, (2) Mark-of-the-Web removal via PowerShell Unblock-File or direct ADS deletion, (3) registry modifications to cryptographic trust providers and certificate policy keys, (4) signtool.exe usage for signing operations. Each branch assigns a suspicion score; scores of 3 indicate high-confidence malicious activity such as adding certificates to the ROOT store.

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Windows Registry: Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents

False Positives

Enterprise PKI administrators legitimately adding internal CA certificates to ROOT or TRUSTEDPUBLISHER stores via certutil
Software developers using signtool.exe to sign their own applications during build processes
IT administrators using Unblock-File or removing Zone.Identifier from files downloaded from trusted internal shares
Group Policy or MDM (Intune) operations that deploy enterprise certificates to certificate stores
Security tools like antivirus or EDR solutions that modify trust provider registry keys during installation or updates

Splunk

spl

index=wineventlog
(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| eval EventCode=coalesce(EventCode, event_id)
| eval Image=coalesce(Image, NewProcessName)
| eval CommandLine=coalesce(CommandLine, Process_Command_Line)
| eval ParentImage=coalesce(ParentImage, ParentProcessName)
| eval User=coalesce(User, SubjectUserName)
| eval CommandLineLower=lower(CommandLine)
| eval ImageLower=lower(Image)
```
``` Branch 1 — certutil certificate store manipulation
| eval CertStoreManip=if(
    match(ImageLower, "certutil\.exe") AND match(CommandLineLower, "(-addstore|-delstore|-importpfx|-enterprise)"),
    1, 0)
| eval RootStoreAdd=if(
    CertStoreManip=1 AND match(CommandLineLower, "(root|authroot|trustedpublisher|trustedpeople)"),
    1, 0)
``` Branch 2 — MOTW removal
| eval MotwRemoval=if(
    match(CommandLineLower, "(unblock-file|zone\.identifier)") AND match(CommandLineLower, "(del |remove|erase|set-content|stream)"),
    1, 0)
| eval UnblockFile=if(
    match(CommandLineLower, "unblock-file"),
    1, 0)
``` Branch 3 — suspicious signtool usage
| eval SigntoolUsage=if(
    match(ImageLower, "signtool\.exe") AND match(CommandLineLower, "sign"),
    1, 0)
``` Branch 4 — makecert or pvk2pfx usage (certificate creation)
| eval CertCreation=if(
    match(ImageLower, "(makecert\.exe|pvk2pfx\.exe)"),
    1, 0)
| eval SuspicionScore=CertStoreManip + RootStoreAdd + MotwRemoval + UnblockFile + SigntoolUsage + CertCreation
| where SuspicionScore > 0
| eval DetectionBranch=case(
    RootStoreAdd=1, "ROOT_CERT_INSTALL",
    CertStoreManip=1, "CERT_STORE_MANIP",
    MotwRemoval=1, "MOTW_REMOVAL",
    UnblockFile=1, "UNBLOCK_FILE",
    SigntoolUsage=1, "SIGNTOOL_SIGN",
    CertCreation=1, "CERT_CREATION",
    true(), "TRUST_SUBVERSION")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        DetectionBranch, CertStoreManip, RootStoreAdd, MotwRemoval, UnblockFile,
        SigntoolUsage, CertCreation, SuspicionScore
| sort - SuspicionScore, - _time

Detects trust control subversion attempts using Sysmon Event ID 1 (Process Creation) and Windows Security Event ID 4688. Evaluates four detection branches: certificate store manipulation via certutil, MOTW removal through Unblock-File or Zone.Identifier deletion, signtool signing operations, and certificate creation utilities. Assigns a cumulative suspicion score per event; ROOT store additions receive the highest weighting as they are rarely legitimate outside enterprise PKI operations.

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1 Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Enterprise PKI administrators adding internal CA certificates via certutil -addstore ROOT
Build pipelines using signtool.exe for legitimate application code signing
IT helpdesk using Unblock-File to unblock files downloaded from internal SharePoint or file shares
MDM and Group Policy certificate deployment operations
Security software installation modifying cryptographic provider registry keys

Elastic Security (EQL)

eql

any where
  (
    event.category == "process" and event.type == "start" and
    (
      (
        process.name == "certutil.exe" and
        process.command_line : ("*-addstore*", "*-delstore*", "*-importpfx*", "*-enterprise*")
      ) or
      (
        process.name in~ ("powershell.exe", "pwsh.exe", "cmd.exe") and
        process.command_line : ("*Zone.Identifier*", "*Unblock-File*", "*ZoneId*")
      ) or
      (
        process.name == "signtool.exe" and
        process.command_line : "*sign*"
      ) or
      process.name in~ ("makecert.exe", "pvk2pfx.exe")
    )
  ) or
  (
    event.category == "registry" and
    event.type in ("creation", "change") and
    registry.path : (
      "*SOFTWARE\\Microsoft\\Cryptography\\OID*",
      "*SOFTWARE\\Microsoft\\Cryptography\\Providers*",
      "*SOFTWARE\\Policies\\Microsoft\\SystemCertificates*",
      "*SOFTWARE\\Microsoft\\EnterpriseCertificates*",
      "*SYSTEM\\CurrentControlSet\\Control\\SecurityProviders*"
    )
  )

Detects T1553 Subvert Trust Controls via Elastic EQL across process and registry event categories. Covers certutil certificate store manipulation (-addstore, -delstore, -importpfx, -enterprise), MOTW removal via Zone.Identifier ADS deletion or Unblock-File, signtool signing activity, certificate creation tools (makecert/pvk2pfx), and modifications to Windows cryptography and trust provider registry hives. Uses ECS fields compatible with Elastic Agent endpoint integration and Winlogbeat/Sysmon ingestion.

high severity high confidence

Data Sources

Elastic Agent Endpoint Integration Winlogbeat with Sysmon module Elastic SIEM with Windows event collection

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.registry-* logs-windows.sysmon_operational-*

False Positives

PKI administrators and enterprise IT teams legitimately invoke certutil.exe with -addstore to distribute corporate CA certificates to managed endpoints during onboarding or certificate rotation cycles
Development and release engineering pipelines use signtool.exe routinely during build automation and code signing for internal or commercial software releases on CI/CD build agents
Enterprise software deployment tools (SCCM, Intune, Jamf) may remove Zone.Identifier alternate data streams from distributed packages as part of automated deployment preprocessing before execution

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS SourceIP,
  username AS Username,
  "Process Name",
  "Command Line",
  "Parent Process Name",
  CASE
    WHEN LOWER("Process Name") LIKE '%certutil.exe%'
         AND (LOWER("Command Line") LIKE '%-addstore%' OR LOWER("Command Line") LIKE '%-delstore%'
              OR LOWER("Command Line") LIKE '%-importpfx%' OR LOWER("Command Line") LIKE '%-enterprise%')
         AND (LOWER("Command Line") LIKE '%root%' OR LOWER("Command Line") LIKE '%authroot%'
              OR LOWER("Command Line") LIKE '%trustedpublisher%')
      THEN 'ROOT_CERT_INSTALL'
    WHEN LOWER("Process Name") LIKE '%certutil.exe%'
         AND (LOWER("Command Line") LIKE '%-addstore%' OR LOWER("Command Line") LIKE '%-importpfx%')
      THEN 'CERT_STORE_MANIP'
    WHEN (LOWER("Process Name") LIKE '%powershell%' OR LOWER("Process Name") LIKE '%cmd.exe%'
          OR LOWER("Process Name") LIKE '%pwsh.exe%')
         AND (LOWER("Command Line") LIKE '%zone.identifier%' OR LOWER("Command Line") LIKE '%unblock-file%')
      THEN 'MOTW_REMOVAL'
    WHEN LOWER("Process Name") LIKE '%signtool.exe%' AND LOWER("Command Line") LIKE '%sign%'
      THEN 'SIGNTOOL_SIGN'
    WHEN LOWER("Process Name") LIKE '%makecert.exe%' OR LOWER("Process Name") LIKE '%pvk2pfx.exe%'
      THEN 'CERT_CREATION'
    ELSE 'TRUST_SUBVERSION'
  END AS DetectionBranch
FROM events
WHERE LOGSOURCETYPEID IN (12, 119)
  AND (
    (
      LOWER("Process Name") LIKE '%certutil.exe%' AND
      (
        LOWER("Command Line") LIKE '%-addstore%' OR
        LOWER("Command Line") LIKE '%-delstore%' OR
        LOWER("Command Line") LIKE '%-importpfx%' OR
        LOWER("Command Line") LIKE '%-enterprise%'
      )
    ) OR
    (
      (
        LOWER("Process Name") LIKE '%powershell%' OR
        LOWER("Process Name") LIKE '%cmd.exe%' OR
        LOWER("Process Name") LIKE '%pwsh.exe%'
      ) AND
      (
        LOWER("Command Line") LIKE '%zone.identifier%' OR
        LOWER("Command Line") LIKE '%unblock-file%' OR
        LOWER("Command Line") LIKE '%zoneid%'
      )
    ) OR
    (
      LOWER("Process Name") LIKE '%signtool.exe%' AND
      LOWER("Command Line") LIKE '%sign%'
    ) OR
    LOWER("Process Name") LIKE '%makecert.exe%' OR
    LOWER("Process Name") LIKE '%pvk2pfx.exe%'
  )
LAST 24 HOURS
ORDER BY starttime DESC

IBM QRadar AQL query detecting T1553 Subvert Trust Controls. Targets Windows Security Event Log (LOGSOURCETYPEID 12, EventID 4688) and Sysmon (LOGSOURCETYPEID 119, EventID 1) process creation events. Detects certutil certificate store manipulation including root store additions, MOTW removal, signtool signing operations, and certificate creation utility usage. Requires custom QRadar DSM properties for Process Name and Command Line to be mapped from raw Windows event payloads.

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log (EventID 4688) Sysmon EventLog (EventID 1 - Process Create)

Required Tables

events

False Positives

IT infrastructure teams distributing enterprise root CA certificates to endpoints via Group Policy or manual certutil operations will produce ROOT_CERT_INSTALL and CERT_STORE_MANIP events at scale across fleet-wide certificate rollout windows
Automated code signing systems and developer workstations with signtool integrated into build toolchains will generate high-volume SIGNTOOL_SIGN events during CI/CD pipeline execution on build servers
Legitimate software distribution platforms that download and execute installer packages may strip Zone.Identifier ADS streams in a preprocessing step before execution, triggering MOTW_REMOVAL detections at scale

Sumo Logic CSE

sql

_index=sec_record*
| where metadata_deviceEventId in ("1", "4688")
| where (
    (toLowerCase(baseImage) matches ".*certutil\\.exe.*" AND
     toLowerCase(commandLine) matches ".*(-addstore|-delstore|-importpfx|-enterprise).*")
    OR (toLowerCase(baseImage) matches ".*(powershell|pwsh|cmd)\\.exe.*" AND
        toLowerCase(commandLine) matches ".*(zone\\.identifier|unblock-file|zoneid).*")
    OR (toLowerCase(baseImage) matches ".*signtool\\.exe.*" AND
        toLowerCase(commandLine) matches ".*sign.*")
    OR toLowerCase(baseImage) matches ".*(makecert|pvk2pfx)\\.exe.*"
  )
| eval ImageLower = toLowerCase(baseImage)
| eval CmdLower = toLowerCase(commandLine)
| eval CertStoreManip = if (ImageLower matches ".*certutil\\.exe.*" AND (CmdLower matches ".*-addstore.*" OR CmdLower matches ".*-delstore.*" OR CmdLower matches ".*-importpfx.*" OR CmdLower matches ".*-enterprise.*"), 1, 0)
| eval RootStoreAdd = if (CertStoreManip == 1 AND (CmdLower matches ".*(root|authroot|trustedpublisher|trustedpeople).*"), 1, 0)
| eval MotwRemoval = if (ImageLower matches ".*(powershell|pwsh|cmd)\\.exe.*" AND (CmdLower matches ".*zone\\.identifier.*" OR CmdLower matches ".*unblock-file.*"), 1, 0)
| eval SigntoolUsage = if (ImageLower matches ".*signtool\\.exe.*" AND CmdLower matches ".*sign.*", 1, 0)
| eval CertCreation = if (ImageLower matches ".*(makecert|pvk2pfx)\\.exe.*", 1, 0)
| eval SuspicionScore = CertStoreManip + RootStoreAdd + MotwRemoval + SigntoolUsage + CertCreation
| eval DetectionBranch = if (RootStoreAdd == 1, "ROOT_CERT_INSTALL", if (CertStoreManip == 1, "CERT_STORE_MANIP", if (MotwRemoval == 1, "MOTW_REMOVAL", if (SigntoolUsage == 1, "SIGNTOOL_SIGN", if (CertCreation == 1, "CERT_CREATION", "TRUST_SUBVERSION")))))
| fields metadata_deviceTimestamp, device_hostname, user_username, baseImage, commandLine, parentBaseImage, DetectionBranch, CertStoreManip, RootStoreAdd, MotwRemoval, SigntoolUsage, CertCreation, SuspicionScore
| sort by SuspicionScore desc, metadata_deviceTimestamp desc

Sumo Logic Cloud SIEM (CSE) query detecting T1553 Subvert Trust Controls using the normalized sec_record schema. Targets Sysmon EventID 1 and Windows Security EventID 4688 process creation records ingested through CSE normalization. Implements multi-branch scoring for certutil certificate manipulation, MOTW removal, signtool usage, and certificate creation tools. Requires CSE normalization with baseImage, commandLine, parentBaseImage, device_hostname, and user_username fields populated from Windows endpoint telemetry.

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM (CSE) normalized records Windows Sysmon via CSE normalization Windows Security Event Log via CSE normalization

Required Tables

sec_record_endpoint_os_windows sec_record_*

False Positives

Enterprise certificate lifecycle management processes run by IT security or PKI teams using certutil to install corporate CA certificates into ROOT and TRUSTEDPUBLISHER stores will trigger CERT_STORE_MANIP and ROOT_CERT_INSTALL branches on every managed endpoint during rollouts
Developers using Windows SDK tools (makecert, pvk2pfx, signtool) during local development and testing of code signing workflows will generate persistent CERT_CREATION and SIGNTOOL_SIGN detections on developer workstations
Security scanning and EDR tools that interact with Zone.Identifier ADS attributes during file quarantine, sandboxing, or safe-launch preprocessing workflows may trigger MOTW_REMOVAL detections as a routine operational side effect

Google Chronicle / SecOps

yaral

rule t1553_subvert_trust_controls {
  meta:
    author = "Detection Engineering"
    description = "Detects T1553 Subvert Trust Controls: certutil certificate store manipulation, MOTW removal via Zone.Identifier or Unblock-File, signtool signing, certificate creation tools, and trust provider registry modifications"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1553"
    reference = "https://attack.mitre.org/techniques/T1553/"
    severity = "HIGH"
    priority = "HIGH"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      (
        (
          re.regex($e.target.process.file.full_path, `(?i)certutil\.exe$`) and
          re.regex($e.target.process.command_line, `(?i)(-addstore|-delstore|-importpfx|-enterprise)`)
        ) or
        (
          re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh|cmd)\.exe$`) and
          re.regex($e.target.process.command_line, `(?i)(unblock-file|zone\.identifier|zoneid)`)
        ) or
        (
          re.regex($e.target.process.file.full_path, `(?i)signtool\.exe$`) and
          re.regex($e.target.process.command_line, `(?i)\bsign\b`)
        ) or
        re.regex($e.target.process.file.full_path, `(?i)(makecert|pvk2pfx)\.exe$`)
      )
    ) or
    (
      $e.metadata.event_type = "REGISTRY_MODIFICATION" and
      re.regex($e.target.registry.registry_key,
        `(?i)(SOFTWARE.Microsoft.Cryptography.(OID|Providers)|SOFTWARE.(Policies.Microsoft.SystemCertificates|Microsoft.EnterpriseCertificates)|SYSTEM.CurrentControlSet.Control.SecurityProviders)`
      )
    )

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting T1553 Subvert Trust Controls. Matches PROCESS_LAUNCH events for certutil store manipulation, PowerShell/cmd MOTW removal, signtool signing, and certificate creation tools (makecert, pvk2pfx). Also matches REGISTRY_MODIFICATION events targeting Windows cryptography OID, provider, enterprise certificate, and security provider registry paths. Designed for UDM telemetry ingested via Chronicle forwarder from Sysmon, Windows Defender ATP, or CrowdStrike Falcon.

high severity high confidence

Data Sources

Google Chronicle UDM Chronicle Forwarder with Windows Sysmon Microsoft Defender for Endpoint via Chronicle integration CrowdStrike Falcon via Chronicle integration

Required Tables

PROCESS_LAUNCH UDM events REGISTRY_MODIFICATION UDM events

False Positives

Enterprise PKI operations using certutil to distribute root CA certificates across managed fleets during certificate renewal cycles will match the certutil branch extensively across all enrolled endpoints simultaneously
Software development teams with integrated code signing workflows will generate frequent signtool.exe detections on build servers, developer workstations, and automated CI/CD agents throughout the business day
Windows Group Policy-enforced certificate trust updates and Windows Update processes may modify SystemCertificates and Cryptography registry paths as part of normal OS patch and policy enforcement cycles

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| eval ImageLower=lower(ImageFileName)
| eval CmdLower=lower(CommandLine)
| eval isCertutil=if(
    match(field=ImageLower, regex="certutil\\.exe") AND
    match(field=CmdLower, regex="(-addstore|-delstore|-importpfx|-enterprise)"),
    1, 0)
| eval isRootStore=if(
    isCertutil==1 AND
    match(field=CmdLower, regex="(root|authroot|trustedpublisher|trustedpeople)"),
    1, 0)
| eval isMotwRemoval=if(
    match(field=ImageLower, regex="(powershell|pwsh|cmd)\\.exe") AND
    match(field=CmdLower, regex="(unblock-file|zone\\.identifier|zoneid)"),
    1, 0)
| eval isSigntool=if(
    match(field=ImageLower, regex="signtool\\.exe") AND
    match(field=CmdLower, regex="\\bsign\\b"),
    1, 0)
| eval isCertCreation=if(
    match(field=ImageLower, regex="(makecert|pvk2pfx)\\.exe"),
    1, 0)
| eval SuspicionScore=isCertutil + isRootStore + isMotwRemoval + isSigntool + isCertCreation
| where SuspicionScore > 0
| eval DetectionBranch=case(
    isRootStore==1, "ROOT_CERT_INSTALL",
    isCertutil==1, "CERT_STORE_MANIP",
    isMotwRemoval==1, "MOTW_REMOVAL",
    isSigntool==1, "SIGNTOOL_SIGN",
    isCertCreation==1, "CERT_CREATION",
    "TRUST_SUBVERSION")
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionBranch, SuspicionScore])
| sort(field=SuspicionScore, order=desc)

CrowdStrike LogScale (Falcon CQL) query detecting T1553 Subvert Trust Controls using Falcon ProcessRollup2 telemetry. Detects certutil certificate store manipulation (including root and trusted publisher store additions), MOTW removal via Zone.Identifier operations or Unblock-File, signtool code signing activity, and certificate creation tools (makecert, pvk2pfx). A companion query targeting RegistryOperationDetailed events can extend coverage to Windows cryptography and trust provider registry modifications. Compatible with CrowdStrike Falcon Insight XDR and LogScale SIEM.

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor (ProcessRollup2 events) CrowdStrike Falcon Insight XDR CrowdStrike LogScale

Required Tables

ProcessRollup2 RegistryOperationDetailed

False Positives

Enterprise endpoint provisioning workflows that deploy corporate CA certificates using certutil will fire ROOT_CERT_INSTALL across large device fleets simultaneously during certificate management operations, creating high-volume alert bursts
Build automation systems and developers using Windows SDK signing tools (signtool, makecert, pvk2pfx) in development, testing, and release engineering workflows generate continuous SIGNTOOL_SIGN and CERT_CREATION detections on designated signing hosts
Enterprise EDR, DLP, or sandboxing tools that analyze or sanitize downloaded files may interact with Zone.Identifier alternate data streams as part of file quarantine or safe-launch preprocessing, triggering MOTW_REMOVAL as a routine operational event

Sigma rule & cross-platform mapping

The detection logic for Subvert Trust Controls (T1553) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1553 Sigma rules on detection.fyi

Platform-specific guides for T1553

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-13 Research depth: deep

References (7)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Add Self-Signed Root Certificate to Windows ROOT Store
Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-addstore ROOT'. Security Event ID 4688 (if command line auditing enabled). Windows CertificateServicesClient-Lifecycle-System/Operational Event ID 1001 (certificate installed). CAPI2 Operational log entries for certificate store modification.
Test 2Remove Mark-of-the-Web via PowerShell Unblock-File
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Unblock-File' and the target file path. Sysmon Event ID 23 or 26 (File Delete) for the Zone.Identifier ADS removal. PowerShell ScriptBlock Log Event ID 4104 showing the Unblock-File command. Security Event ID 4663 (object access) if file system auditing is enabled for the temp directory.
Test 3Remove Zone.Identifier ADS via cmd.exe del command
Expected signal: Sysmon Event ID 1: cmd.exe with CommandLine containing 'Zone.Identifier' and 'del'. Sysmon Event ID 23 (File Delete) for the ADS. Security Event ID 4688 if command line auditing is enabled. Note: some EDR solutions specifically monitor for ADS deletion on .exe files.
Test 4Inspect and Enumerate SIP Trust Provider Registry Keys
Expected signal: Sysmon Event ID 1: reg.exe with CommandLine querying Cryptography\OID paths. Security Event ID 4663 (registry object access) if registry auditing is enabled. No modifications occur — this tests detection of enumeration prior to hijacking.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1553 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hub

TA0005Defense Evasion

Sub-techniques (6)

Related Techniques

T1553.001Gatekeeper Bypass T1553.002Code Signing T1553.003SIP and Trust Provider Hijacking T1553.004Install Root Certificate T1553.005Mark-of-the-Web Bypass T1553.006Code Signing Policy Modification T1112Modify Registry T1222File and Directory Permissions Modification T1036Masquerading T1027Obfuscated Files or Information T1105Ingress Tool Transfer

Subvert Trust Controls

What is T1553 Subvert Trust Controls?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1553

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (6)

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

What is T1553 Subvert Trust Controls?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1553

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (6)

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox