T1553

Subvert Trust Controls

Adversaries may undermine security controls that warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products contain mechanisms to identify programs or websites as possessing some level of trust, such as code signing certificates, Mark-of-the-Web (MOTW) attributes, Gatekeeper on macOS, or SIP and Trust Provider validation on Windows. Adversaries attempt to subvert these trust mechanisms through techniques including code signing certificate theft or forgery, MOTW removal, root certificate installation, SIP/Trust Provider hijacking, and Gatekeeper bypass. The method used depends on the specific mechanism being subverted.

Microsoft Sentinel / Defender

kusto

let SuspiciousCertOps = dynamic(["certutil", "certmgr", "certreq", "makecert", "pvk2pfx", "signtool"]);
let RootCertPaths = dynamic(["ROOT", "TRUSTEDPUBLISHER", "TRUSTEDPEOPLE", "AUTHROOT"]);
let MotwRemovalPatterns = dynamic(["Zone.Identifier", ":Zone.Identifier", "Unblock-File", "ZoneId"]);
// Branch 1: Certificate store manipulation via certutil
let CertutilOps = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "certutil.exe"
| where ProcessCommandLine has_any ("-addstore", "-delstore", "-importpfx", "-user -addstore", "-enterprise", "-f -addstore")
| extend DetectionBranch = "CertStore_Manipulation"
| extend SuspicionScore = case(
    ProcessCommandLine has "-addstore" and ProcessCommandLine has_any ("ROOT", "AUTHROOT", "TRUSTEDPUBLISHER"), 3,
    ProcessCommandLine has "-importpfx", 2,
    ProcessCommandLine has "-addstore", 1,
    1);
// Branch 2: MOTW removal or ADS deletion
let MotwRemoval = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName =~ "powershell.exe" or FileName =~ "pwsh.exe" or FileName =~ "cmd.exe")
| where ProcessCommandLine has_any (MotwRemovalPatterns)
| extend DetectionBranch = "MOTW_Removal"
| extend SuspicionScore = case(
    ProcessCommandLine has "Unblock-File", 2,
    ProcessCommandLine has "Zone.Identifier" and ProcessCommandLine has_any ("del", "remove", "erase", "Set-Content"), 3,
    1);
// Branch 3: Registry modifications to trust providers or authenticode
let TrustRegistryMod = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (
    "SOFTWARE\\Microsoft\\Cryptography\\OID",
    "SOFTWARE\\Microsoft\\Cryptography\\Providers",
    "SOFTWARE\\Policies\\Microsoft\\SystemCertificates",
    "SOFTWARE\\Microsoft\\EnterpriseCertificates",
    "SYSTEM\\CurrentControlSet\\Control\\SecurityProviders"
  )
| where ActionType in~ ("RegistryValueSet", "RegistryKeyCreated")
| extend DetectionBranch = "Trust_Registry_Modification"
| extend SuspicionScore = 2
| project Timestamp, DeviceName, AccountName,
    FileName = InitiatingProcessFileName,
    ProcessCommandLine = InitiatingProcessCommandLine,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    DetectionBranch, SuspicionScore;
// Branch 4: Signed binary proxy / catalog hijacking
let SigToolUsage = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "signtool.exe"
| extend DetectionBranch = "Signtool_Usage"
| extend SuspicionScore = case(
    ProcessCommandLine has "sign" and ProcessCommandLine has "/fd", 2,
    1);
// Union all branches
let ProcessAlerts = union CertutilOps, MotwRemoval, SigToolUsage
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         DetectionBranch, SuspicionScore;
union ProcessAlerts, TrustRegistryMod
| where SuspicionScore >= 1
| sort by SuspicionScore desc, Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Windows Registry: Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceRegistryEvents

False Positives

Enterprise PKI administrators legitimately adding internal CA certificates to ROOT or TRUSTEDPUBLISHER stores via certutil
Software developers using signtool.exe to sign their own applications during build processes
IT administrators using Unblock-File or removing Zone.Identifier from files downloaded from trusted internal shares
Group Policy or MDM (Intune) operations that deploy enterprise certificates to certificate stores
Security tools like antivirus or EDR solutions that modify trust provider registry keys during installation or updates

Splunk

spl

index=wineventlog
(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| eval EventCode=coalesce(EventCode, event_id)
| eval Image=coalesce(Image, NewProcessName)
| eval CommandLine=coalesce(CommandLine, Process_Command_Line)
| eval ParentImage=coalesce(ParentImage, ParentProcessName)
| eval User=coalesce(User, SubjectUserName)
| eval CommandLineLower=lower(CommandLine)
| eval ImageLower=lower(Image)
```
``` Branch 1 — certutil certificate store manipulation
| eval CertStoreManip=if(
    match(ImageLower, "certutil\.exe") AND match(CommandLineLower, "(-addstore|-delstore|-importpfx|-enterprise)"),
    1, 0)
| eval RootStoreAdd=if(
    CertStoreManip=1 AND match(CommandLineLower, "(root|authroot|trustedpublisher|trustedpeople)"),
    1, 0)
``` Branch 2 — MOTW removal
| eval MotwRemoval=if(
    match(CommandLineLower, "(unblock-file|zone\.identifier)") AND match(CommandLineLower, "(del |remove|erase|set-content|stream)"),
    1, 0)
| eval UnblockFile=if(
    match(CommandLineLower, "unblock-file"),
    1, 0)
``` Branch 3 — suspicious signtool usage
| eval SigntoolUsage=if(
    match(ImageLower, "signtool\.exe") AND match(CommandLineLower, "sign"),
    1, 0)
``` Branch 4 — makecert or pvk2pfx usage (certificate creation)
| eval CertCreation=if(
    match(ImageLower, "(makecert\.exe|pvk2pfx\.exe)"),
    1, 0)
| eval SuspicionScore=CertStoreManip + RootStoreAdd + MotwRemoval + UnblockFile + SigntoolUsage + CertCreation
| where SuspicionScore > 0
| eval DetectionBranch=case(
    RootStoreAdd=1, "ROOT_CERT_INSTALL",
    CertStoreManip=1, "CERT_STORE_MANIP",
    MotwRemoval=1, "MOTW_REMOVAL",
    UnblockFile=1, "UNBLOCK_FILE",
    SigntoolUsage=1, "SIGNTOOL_SIGN",
    CertCreation=1, "CERT_CREATION",
    true(), "TRUST_SUBVERSION")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        DetectionBranch, CertStoreManip, RootStoreAdd, MotwRemoval, UnblockFile,
        SigntoolUsage, CertCreation, SuspicionScore
| sort - SuspicionScore, - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1 Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Enterprise PKI administrators adding internal CA certificates via certutil -addstore ROOT
Build pipelines using signtool.exe for legitimate application code signing
IT helpdesk using Unblock-File to unblock files downloaded from internal SharePoint or file shares
MDM and Group Policy certificate deployment operations
Security software installation modifying cryptographic provider registry keys

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS SourceIP,
  username AS Username,
  "Process Name",
  "Command Line",
  "Parent Process Name",
  CASE
    WHEN LOWER("Process Name") LIKE '%certutil.exe%'
         AND (LOWER("Command Line") LIKE '%-addstore%' OR LOWER("Command Line") LIKE '%-delstore%'
              OR LOWER("Command Line") LIKE '%-importpfx%' OR LOWER("Command Line") LIKE '%-enterprise%')
         AND (LOWER("Command Line") LIKE '%root%' OR LOWER("Command Line") LIKE '%authroot%'
              OR LOWER("Command Line") LIKE '%trustedpublisher%')
      THEN 'ROOT_CERT_INSTALL'
    WHEN LOWER("Process Name") LIKE '%certutil.exe%'
         AND (LOWER("Command Line") LIKE '%-addstore%' OR LOWER("Command Line") LIKE '%-importpfx%')
      THEN 'CERT_STORE_MANIP'
    WHEN (LOWER("Process Name") LIKE '%powershell%' OR LOWER("Process Name") LIKE '%cmd.exe%'
          OR LOWER("Process Name") LIKE '%pwsh.exe%')
         AND (LOWER("Command Line") LIKE '%zone.identifier%' OR LOWER("Command Line") LIKE '%unblock-file%')
      THEN 'MOTW_REMOVAL'
    WHEN LOWER("Process Name") LIKE '%signtool.exe%' AND LOWER("Command Line") LIKE '%sign%'
      THEN 'SIGNTOOL_SIGN'
    WHEN LOWER("Process Name") LIKE '%makecert.exe%' OR LOWER("Process Name") LIKE '%pvk2pfx.exe%'
      THEN 'CERT_CREATION'
    ELSE 'TRUST_SUBVERSION'
  END AS DetectionBranch
FROM events
WHERE LOGSOURCETYPEID IN (12, 119)
  AND (
    (
      LOWER("Process Name") LIKE '%certutil.exe%' AND
      (
        LOWER("Command Line") LIKE '%-addstore%' OR
        LOWER("Command Line") LIKE '%-delstore%' OR
        LOWER("Command Line") LIKE '%-importpfx%' OR
        LOWER("Command Line") LIKE '%-enterprise%'
      )
    ) OR
    (
      (
        LOWER("Process Name") LIKE '%powershell%' OR
        LOWER("Process Name") LIKE '%cmd.exe%' OR
        LOWER("Process Name") LIKE '%pwsh.exe%'
      ) AND
      (
        LOWER("Command Line") LIKE '%zone.identifier%' OR
        LOWER("Command Line") LIKE '%unblock-file%' OR
        LOWER("Command Line") LIKE '%zoneid%'
      )
    ) OR
    (
      LOWER("Process Name") LIKE '%signtool.exe%' AND
      LOWER("Command Line") LIKE '%sign%'
    ) OR
    LOWER("Process Name") LIKE '%makecert.exe%' OR
    LOWER("Process Name") LIKE '%pvk2pfx.exe%'
  )
LAST 24 HOURS
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log (EventID 4688) Sysmon EventLog (EventID 1 - Process Create)

Required Tables

events

False Positives

IT infrastructure teams distributing enterprise root CA certificates to endpoints via Group Policy or manual certutil operations will produce ROOT_CERT_INSTALL and CERT_STORE_MANIP events at scale across fleet-wide certificate rollout windows
Automated code signing systems and developer workstations with signtool integrated into build toolchains will generate high-volume SIGNTOOL_SIGN events during CI/CD pipeline execution on build servers
Legitimate software distribution platforms that download and execute installer packages may strip Zone.Identifier ADS streams in a preprocessing step before execution, triggering MOTW_REMOVAL detections at scale

Sumo Logic CSE

sql

_index=sec_record*
| where metadata_deviceEventId in ("1", "4688")
| where (
    (toLowerCase(baseImage) matches ".*certutil\\.exe.*" AND
     toLowerCase(commandLine) matches ".*(-addstore|-delstore|-importpfx|-enterprise).*")
    OR (toLowerCase(baseImage) matches ".*(powershell|pwsh|cmd)\\.exe.*" AND
        toLowerCase(commandLine) matches ".*(zone\\.identifier|unblock-file|zoneid).*")
    OR (toLowerCase(baseImage) matches ".*signtool\\.exe.*" AND
        toLowerCase(commandLine) matches ".*sign.*")
    OR toLowerCase(baseImage) matches ".*(makecert|pvk2pfx)\\.exe.*"
  )
| eval ImageLower = toLowerCase(baseImage)
| eval CmdLower = toLowerCase(commandLine)
| eval CertStoreManip = if (ImageLower matches ".*certutil\\.exe.*" AND (CmdLower matches ".*-addstore.*" OR CmdLower matches ".*-delstore.*" OR CmdLower matches ".*-importpfx.*" OR CmdLower matches ".*-enterprise.*"), 1, 0)
| eval RootStoreAdd = if (CertStoreManip == 1 AND (CmdLower matches ".*(root|authroot|trustedpublisher|trustedpeople).*"), 1, 0)
| eval MotwRemoval = if (ImageLower matches ".*(powershell|pwsh|cmd)\\.exe.*" AND (CmdLower matches ".*zone\\.identifier.*" OR CmdLower matches ".*unblock-file.*"), 1, 0)
| eval SigntoolUsage = if (ImageLower matches ".*signtool\\.exe.*" AND CmdLower matches ".*sign.*", 1, 0)
| eval CertCreation = if (ImageLower matches ".*(makecert|pvk2pfx)\\.exe.*", 1, 0)
| eval SuspicionScore = CertStoreManip + RootStoreAdd + MotwRemoval + SigntoolUsage + CertCreation
| eval DetectionBranch = if (RootStoreAdd == 1, "ROOT_CERT_INSTALL", if (CertStoreManip == 1, "CERT_STORE_MANIP", if (MotwRemoval == 1, "MOTW_REMOVAL", if (SigntoolUsage == 1, "SIGNTOOL_SIGN", if (CertCreation == 1, "CERT_CREATION", "TRUST_SUBVERSION")))))
| fields metadata_deviceTimestamp, device_hostname, user_username, baseImage, commandLine, parentBaseImage, DetectionBranch, CertStoreManip, RootStoreAdd, MotwRemoval, SigntoolUsage, CertCreation, SuspicionScore
| sort by SuspicionScore desc, metadata_deviceTimestamp desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM (CSE) normalized records Windows Sysmon via CSE normalization Windows Security Event Log via CSE normalization

Required Tables

sec_record_endpoint_os_windows sec_record_*

False Positives

Enterprise certificate lifecycle management processes run by IT security or PKI teams using certutil to install corporate CA certificates into ROOT and TRUSTEDPUBLISHER stores will trigger CERT_STORE_MANIP and ROOT_CERT_INSTALL branches on every managed endpoint during rollouts
Developers using Windows SDK tools (makecert, pvk2pfx, signtool) during local development and testing of code signing workflows will generate persistent CERT_CREATION and SIGNTOOL_SIGN detections on developer workstations
Security scanning and EDR tools that interact with Zone.Identifier ADS attributes during file quarantine, sandboxing, or safe-launch preprocessing workflows may trigger MOTW_REMOVAL detections as a routine operational side effect

Google Chronicle / SecOps

yaral

rule t1553_subvert_trust_controls {
  meta:
    author = "Detection Engineering"
    description = "Detects T1553 Subvert Trust Controls: certutil certificate store manipulation, MOTW removal via Zone.Identifier or Unblock-File, signtool signing, certificate creation tools, and trust provider registry modifications"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1553"
    reference = "https://attack.mitre.org/techniques/T1553/"
    severity = "HIGH"
    priority = "HIGH"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      (
        (
          re.regex($e.target.process.file.full_path, `(?i)certutil\.exe$`) and
          re.regex($e.target.process.command_line, `(?i)(-addstore|-delstore|-importpfx|-enterprise)`)
        ) or
        (
          re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh|cmd)\.exe$`) and
          re.regex($e.target.process.command_line, `(?i)(unblock-file|zone\.identifier|zoneid)`)
        ) or
        (
          re.regex($e.target.process.file.full_path, `(?i)signtool\.exe$`) and
          re.regex($e.target.process.command_line, `(?i)\bsign\b`)
        ) or
        re.regex($e.target.process.file.full_path, `(?i)(makecert|pvk2pfx)\.exe$`)
      )
    ) or
    (
      $e.metadata.event_type = "REGISTRY_MODIFICATION" and
      re.regex($e.target.registry.registry_key,
        `(?i)(SOFTWARE.Microsoft.Cryptography.(OID|Providers)|SOFTWARE.(Policies.Microsoft.SystemCertificates|Microsoft.EnterpriseCertificates)|SYSTEM.CurrentControlSet.Control.SecurityProviders)`
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM Chronicle Forwarder with Windows Sysmon Microsoft Defender for Endpoint via Chronicle integration CrowdStrike Falcon via Chronicle integration

Required Tables

PROCESS_LAUNCH UDM events REGISTRY_MODIFICATION UDM events

False Positives

Enterprise PKI operations using certutil to distribute root CA certificates across managed fleets during certificate renewal cycles will match the certutil branch extensively across all enrolled endpoints simultaneously
Software development teams with integrated code signing workflows will generate frequent signtool.exe detections on build servers, developer workstations, and automated CI/CD agents throughout the business day
Windows Group Policy-enforced certificate trust updates and Windows Update processes may modify SystemCertificates and Cryptography registry paths as part of normal OS patch and policy enforcement cycles

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| eval ImageLower=lower(ImageFileName)
| eval CmdLower=lower(CommandLine)
| eval isCertutil=if(
    match(field=ImageLower, regex="certutil\\.exe") AND
    match(field=CmdLower, regex="(-addstore|-delstore|-importpfx|-enterprise)"),
    1, 0)
| eval isRootStore=if(
    isCertutil==1 AND
    match(field=CmdLower, regex="(root|authroot|trustedpublisher|trustedpeople)"),
    1, 0)
| eval isMotwRemoval=if(
    match(field=ImageLower, regex="(powershell|pwsh|cmd)\\.exe") AND
    match(field=CmdLower, regex="(unblock-file|zone\\.identifier|zoneid)"),
    1, 0)
| eval isSigntool=if(
    match(field=ImageLower, regex="signtool\\.exe") AND
    match(field=CmdLower, regex="\\bsign\\b"),
    1, 0)
| eval isCertCreation=if(
    match(field=ImageLower, regex="(makecert|pvk2pfx)\\.exe"),
    1, 0)
| eval SuspicionScore=isCertutil + isRootStore + isMotwRemoval + isSigntool + isCertCreation
| where SuspicionScore > 0
| eval DetectionBranch=case(
    isRootStore==1, "ROOT_CERT_INSTALL",
    isCertutil==1, "CERT_STORE_MANIP",
    isMotwRemoval==1, "MOTW_REMOVAL",
    isSigntool==1, "SIGNTOOL_SIGN",
    isCertCreation==1, "CERT_CREATION",
    "TRUST_SUBVERSION")
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionBranch, SuspicionScore])
| sort(field=SuspicionScore, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor (ProcessRollup2 events) CrowdStrike Falcon Insight XDR CrowdStrike LogScale

Required Tables

ProcessRollup2 RegistryOperationDetailed

False Positives

Enterprise endpoint provisioning workflows that deploy corporate CA certificates using certutil will fire ROOT_CERT_INSTALL across large device fleets simultaneously during certificate management operations, creating high-volume alert bursts
Build automation systems and developers using Windows SDK signing tools (signtool, makecert, pvk2pfx) in development, testing, and release engineering workflows generate continuous SIGNTOOL_SIGN and CERT_CREATION detections on designated signing hosts
Enterprise EDR, DLP, or sandboxing tools that analyze or sanitize downloaded files may interact with Zone.Identifier alternate data streams as part of file quarantine or safe-launch preprocessing, triggering MOTW_REMOVAL as a routine operational event

Last updated: 2026-04-13 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1553 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Subvert Trust Controls

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (6)

Same Tactic: Defense Evasion

Popular Detections