T1553 Microsoft Sentinel · KQL

Detect Subvert Trust Controls in Microsoft Sentinel

Adversaries may undermine security controls that warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products contain mechanisms to identify programs or websites as possessing some level of trust, such as code signing certificates, Mark-of-the-Web (MOTW) attributes, Gatekeeper on macOS, or SIP and Trust Provider validation on Windows. Adversaries attempt to subvert these trust mechanisms through techniques including code signing certificate theft or forgery, MOTW removal, root certificate installation, SIP/Trust Provider hijacking, and Gatekeeper bypass. The method used depends on the specific mechanism being subverted.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1553 Subvert Trust Controls
Canonical reference
https://attack.mitre.org/techniques/T1553/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SuspiciousCertOps = dynamic(["certutil", "certmgr", "certreq", "makecert", "pvk2pfx", "signtool"]);
let RootCertPaths = dynamic(["ROOT", "TRUSTEDPUBLISHER", "TRUSTEDPEOPLE", "AUTHROOT"]);
let MotwRemovalPatterns = dynamic(["Zone.Identifier", ":Zone.Identifier", "Unblock-File", "ZoneId"]);
// Branch 1: Certificate store manipulation via certutil
let CertutilOps = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "certutil.exe"
| where ProcessCommandLine has_any ("-addstore", "-delstore", "-importpfx", "-user -addstore", "-enterprise", "-f -addstore")
| extend DetectionBranch = "CertStore_Manipulation"
| extend SuspicionScore = case(
    ProcessCommandLine has "-addstore" and ProcessCommandLine has_any ("ROOT", "AUTHROOT", "TRUSTEDPUBLISHER"), 3,
    ProcessCommandLine has "-importpfx", 2,
    ProcessCommandLine has "-addstore", 1,
    1);
// Branch 2: MOTW removal or ADS deletion
let MotwRemoval = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName =~ "powershell.exe" or FileName =~ "pwsh.exe" or FileName =~ "cmd.exe")
| where ProcessCommandLine has_any (MotwRemovalPatterns)
| extend DetectionBranch = "MOTW_Removal"
| extend SuspicionScore = case(
    ProcessCommandLine has "Unblock-File", 2,
    ProcessCommandLine has "Zone.Identifier" and ProcessCommandLine has_any ("del", "remove", "erase", "Set-Content"), 3,
    1);
// Branch 3: Registry modifications to trust providers or authenticode
let TrustRegistryMod = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_any (
    "SOFTWARE\\Microsoft\\Cryptography\\OID",
    "SOFTWARE\\Microsoft\\Cryptography\\Providers",
    "SOFTWARE\\Policies\\Microsoft\\SystemCertificates",
    "SOFTWARE\\Microsoft\\EnterpriseCertificates",
    "SYSTEM\\CurrentControlSet\\Control\\SecurityProviders"
  )
| where ActionType in~ ("RegistryValueSet", "RegistryKeyCreated")
| extend DetectionBranch = "Trust_Registry_Modification"
| extend SuspicionScore = 2
| project Timestamp, DeviceName, AccountName,
    FileName = InitiatingProcessFileName,
    ProcessCommandLine = InitiatingProcessCommandLine,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    DetectionBranch, SuspicionScore;
// Branch 4: Signed binary proxy / catalog hijacking
let SigToolUsage = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "signtool.exe"
| extend DetectionBranch = "Signtool_Usage"
| extend SuspicionScore = case(
    ProcessCommandLine has "sign" and ProcessCommandLine has "/fd", 2,
    1);
// Union all branches
let ProcessAlerts = union CertutilOps, MotwRemoval, SigToolUsage
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         DetectionBranch, SuspicionScore;
union ProcessAlerts, TrustRegistryMod
| where SuspicionScore >= 1
| sort by SuspicionScore desc, Timestamp desc
high severity medium confidence

Detects attempts to subvert Windows trust controls across four detection branches: (1) certutil manipulating certificate stores including root/trusted publisher stores, (2) Mark-of-the-Web removal via PowerShell Unblock-File or direct ADS deletion, (3) registry modifications to cryptographic trust providers and certificate policy keys, (4) signtool.exe usage for signing operations. Each branch assigns a suspicion score; scores of 3 indicate high-confidence malicious activity such as adding certificates to the ROOT store.

Data Sources

Process: Process CreationCommand: Command ExecutionWindows Registry: Registry Key ModificationMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceRegistryEvents

False Positives & Tuning

  • Enterprise PKI administrators legitimately adding internal CA certificates to ROOT or TRUSTEDPUBLISHER stores via certutil
  • Software developers using signtool.exe to sign their own applications during build processes
  • IT administrators using Unblock-File or removing Zone.Identifier from files downloaded from trusted internal shares
  • Group Policy or MDM (Intune) operations that deploy enterprise certificates to certificate stores
  • Security tools like antivirus or EDR solutions that modify trust provider registry keys during installation or updates
Download portable Sigma rule (.yml)

Other platforms for T1553

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Add Self-Signed Root Certificate to Windows ROOT Store

    Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe, CommandLine containing '-addstore ROOT'. Security Event ID 4688 (if command line auditing enabled). Windows CertificateServicesClient-Lifecycle-System/Operational Event ID 1001 (certificate installed). CAPI2 Operational log entries for certificate store modification.

  2. Test 2Remove Mark-of-the-Web via PowerShell Unblock-File

    Expected signal: Sysmon Event ID 1: powershell.exe with CommandLine containing 'Unblock-File' and the target file path. Sysmon Event ID 23 or 26 (File Delete) for the Zone.Identifier ADS removal. PowerShell ScriptBlock Log Event ID 4104 showing the Unblock-File command. Security Event ID 4663 (object access) if file system auditing is enabled for the temp directory.

  3. Test 3Remove Zone.Identifier ADS via cmd.exe del command

    Expected signal: Sysmon Event ID 1: cmd.exe with CommandLine containing 'Zone.Identifier' and 'del'. Sysmon Event ID 23 (File Delete) for the ADS. Security Event ID 4688 if command line auditing is enabled. Note: some EDR solutions specifically monitor for ADS deletion on .exe files.

  4. Test 4Inspect and Enumerate SIP Trust Provider Registry Keys

    Expected signal: Sysmon Event ID 1: reg.exe with CommandLine querying Cryptography\OID paths. Security Event ID 4663 (registry object access) if registry auditing is enabled. No modifications occur — this tests detection of enumeration prior to hijacking.

Last updated: 2026-04-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1553 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (6)

Related Techniques

T1553.001Gatekeeper BypassT1553.002Code SigningT1553.003SIP and Trust Provider HijackingT1553.004Install Root CertificateT1553.005Mark-of-the-Web BypassT1553.006Code Signing Policy ModificationT1112Modify RegistryT1222File and Directory Permissions ModificationT1036MasqueradingT1027Obfuscated Files or InformationT1105Ingress Tool Transfer

Same Tactic: Defense Evasion

Popular Detections