Detect Subvert Trust Controls in CrowdStrike LogScale
Adversaries may undermine security controls that warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products contain mechanisms to identify programs or websites as possessing some level of trust, such as code signing certificates, Mark-of-the-Web (MOTW) attributes, Gatekeeper on macOS, or SIP and Trust Provider validation on Windows. Adversaries attempt to subvert these trust mechanisms through techniques including code signing certificate theft or forgery, MOTW removal, root certificate installation, SIP/Trust Provider hijacking, and Gatekeeper bypass. The method used depends on the specific mechanism being subverted.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1553 Subvert Trust Controls
- Canonical reference
- https://attack.mitre.org/techniques/T1553/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| eval ImageLower=lower(ImageFileName)
| eval CmdLower=lower(CommandLine)
| eval isCertutil=if(
match(field=ImageLower, regex="certutil\\.exe") AND
match(field=CmdLower, regex="(-addstore|-delstore|-importpfx|-enterprise)"),
1, 0)
| eval isRootStore=if(
isCertutil==1 AND
match(field=CmdLower, regex="(root|authroot|trustedpublisher|trustedpeople)"),
1, 0)
| eval isMotwRemoval=if(
match(field=ImageLower, regex="(powershell|pwsh|cmd)\\.exe") AND
match(field=CmdLower, regex="(unblock-file|zone\\.identifier|zoneid)"),
1, 0)
| eval isSigntool=if(
match(field=ImageLower, regex="signtool\\.exe") AND
match(field=CmdLower, regex="\\bsign\\b"),
1, 0)
| eval isCertCreation=if(
match(field=ImageLower, regex="(makecert|pvk2pfx)\\.exe"),
1, 0)
| eval SuspicionScore=isCertutil + isRootStore + isMotwRemoval + isSigntool + isCertCreation
| where SuspicionScore > 0
| eval DetectionBranch=case(
isRootStore==1, "ROOT_CERT_INSTALL",
isCertutil==1, "CERT_STORE_MANIP",
isMotwRemoval==1, "MOTW_REMOVAL",
isSigntool==1, "SIGNTOOL_SIGN",
isCertCreation==1, "CERT_CREATION",
"TRUST_SUBVERSION")
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionBranch, SuspicionScore])
| sort(field=SuspicionScore, order=desc)CrowdStrike LogScale (Falcon CQL) query detecting T1553 Subvert Trust Controls using Falcon ProcessRollup2 telemetry. Detects certutil certificate store manipulation (including root and trusted publisher store additions), MOTW removal via Zone.Identifier operations or Unblock-File, signtool code signing activity, and certificate creation tools (makecert, pvk2pfx). A companion query targeting RegistryOperationDetailed events can extend coverage to Windows cryptography and trust provider registry modifications. Compatible with CrowdStrike Falcon Insight XDR and LogScale SIEM.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise endpoint provisioning workflows that deploy corporate CA certificates using certutil will fire ROOT_CERT_INSTALL across large device fleets simultaneously during certificate management operations, creating high-volume alert bursts
- Build automation systems and developers using Windows SDK signing tools (signtool, makecert, pvk2pfx) in development, testing, and release engineering workflows generate continuous SIGNTOOL_SIGN and CERT_CREATION detections on designated signing hosts
- Enterprise EDR, DLP, or sandboxing tools that analyze or sanitize downloaded files may interact with Zone.Identifier alternate data streams as part of file quarantine or safe-launch preprocessing, triggering MOTW_REMOVAL as a routine operational event
Other platforms for T1553
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Self-Signed Root Certificate to Windows ROOT Store
Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-addstore ROOT'. Security Event ID 4688 (if command line auditing enabled). Windows CertificateServicesClient-Lifecycle-System/Operational Event ID 1001 (certificate installed). CAPI2 Operational log entries for certificate store modification.
- Test 2Remove Mark-of-the-Web via PowerShell Unblock-File
Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Unblock-File' and the target file path. Sysmon Event ID 23 or 26 (File Delete) for the Zone.Identifier ADS removal. PowerShell ScriptBlock Log Event ID 4104 showing the Unblock-File command. Security Event ID 4663 (object access) if file system auditing is enabled for the temp directory.
- Test 3Remove Zone.Identifier ADS via cmd.exe del command
Expected signal: Sysmon Event ID 1: cmd.exe with CommandLine containing 'Zone.Identifier' and 'del'. Sysmon Event ID 23 (File Delete) for the ADS. Security Event ID 4688 if command line auditing is enabled. Note: some EDR solutions specifically monitor for ADS deletion on .exe files.
- Test 4Inspect and Enumerate SIP Trust Provider Registry Keys
Expected signal: Sysmon Event ID 1: reg.exe with CommandLine querying Cryptography\OID paths. Security Event ID 4663 (registry object access) if registry auditing is enabled. No modifications occur — this tests detection of enumeration prior to hijacking.
References (9)
- https://attack.mitre.org/techniques/T1553/
- https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf
- https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
- https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/
- https://learn.microsoft.com/en-us/windows/win32/seccrypto/subject-interface-packages
- https://learn.microsoft.com/en-us/sysinternals/downloads/streams
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry
Unlock Pro Content
Get the full detection package for T1553 including response playbook, investigation guide, and atomic red team tests.