title: Subvert Trust Controls (T1553)
id: df00tech-t1553
status: experimental
description: "Adversaries may undermine security controls that warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products contain mechanisms to identify programs or websites as possessing some level of trust, such as code signing certificates, Mark-of-the-Web (MOTW) attributes, Gatekeeper on macOS, or SIP and Trust Provider validation on Windows. Adversaries attempt to subvert these trust mechanisms through techniques including code signing certificate theft or forgery, MOTW removal, root certificate installation, SIP/Trust Provider hijacking, and Gatekeeper bypass. The method used depends on the specific mechanism being subverted."
references:
  - https://attack.mitre.org/techniques/T1553/
  - https://df00tech.com/detections/T1553
author: df00tech
date: 2026/04/13
tags:
  - attack.t1553
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Enterprise PKI administrators legitimately adding internal CA certificates to ROOT or TRUSTEDPUBLISHER stores via certutil
  - Software developers using signtool.exe to sign their own applications during build processes
  - IT administrators using Unblock-File or removing Zone.Identifier from files downloaded from trusted internal shares
  - Group Policy or MDM (Intune) operations that deploy enterprise certificates to certificate stores
  - Security tools like antivirus or EDR solutions that modify trust provider registry keys during installation or updates
level: high