1. Home
  2. Techniques
  3. Enterprise
  4. 颠覆信任控制

颠覆信任控制

ID Name
T1553.001 伪造代码签名证书
T1553.002 供应链信任劫持
T1553.003 驱动程序签名白名单滥用

颠覆信任控制是指攻击者通过篡改系统信任验证机制或滥用信任凭证,绕过安全防护措施的技术集合。传统防御手段侧重于监控证书元数据异常、维护信任组件基线与分析自动启动项,通过检测非授权签名证书、异常注册表修改等行为识别威胁。典型缓解措施包括证书透明度监控、WHQL签名验证强化,以及扩展文件属性变更审计等。

为对抗日益完善的信任验证体系,攻击者发展出多种规避信任控制的隐蔽技术。这些技术通过动态构造信任凭证、劫持验证流程逻辑、污染信任传递链条等手法,将恶意操作嵌入系统信任决策的关键环节,实现攻击行为的"合法化"伪装。

当前颠覆信任控制匿迹技术的核心路径集中于信任验证体系的流程穿透与上下文欺骗。伪造代码签名证书从信任凭证源头植入恶意属性,实现证书的表面合规;供应链信任劫持利用软件分发渠道的固有信任关系,使恶意代码继承合法程序的信任属性;驱动签名滥用则挖掘认证机制的制度盲区,获取系统内核级执行权限。这些技术的共性在于:1)聚焦信任验证流程的瞬时状态而非持久化特征;2)利用系统安全机制自身的逻辑缺陷实现攻击隐匿;3)构建多层信任传递关系增强攻击合法性。攻击者通过精确制导的信任体系穿透,使得恶意行为在系统安全组件的视角下呈现合规特征,极大提升检测难度。

匿迹技术的发展导致传统基于签名黑名单、证书吊销列表的防御体系面临根本性挑战,防御方需构建覆盖信任链全生命周期的动态监控体系,强化内存完整性保护与供应链源头验证,并引入AI驱动的异常信任关系图谱分析,才能有效应对新型信任控制颠覆攻击。

ID: T1553
Sub-techniques:  T1553.001, T1553.002, T1553.003
Tactic: 防御规避
Platforms: Linux, Windows, macOS
Defense Bypassed: Anti-virus, Application Control, Autoruns Analysis, Digital Certificate Validation, User Mode Signature Validation, Windows User Account Control
Version: 1.2
Created: 05 February 2020
Last Modified: 01 March 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过伪造数字证书签名、劫持合法软件供应链等方式,使恶意代码具备与合法程序相同的信任特征。例如使用WHQL认证签名伪装恶意驱动,或通过污染软件构建流程生成带有效签名的后门程序。这些手法使得恶意载体在证书指纹、签名链等表面特征维度与合法对象完全一致,规避基于特征比对的检测机制。

行为透明

技术实施过程中充分利用系统固有信任验证流程的盲区,例如通过合法编译环境注入恶意代码、利用泄露的合法签名密钥实现权限提升。此类操作完全遵循系统预设的安全验证路径,使得攻击行为在流程合规性层面具有透明性,传统审计机制难以察觉异常。

数据遮蔽

攻击者通过篡改或伪造信任相关信息,如修改代码签名中的关键数据、伪造证书等,使防御者难以通过正常的信任验证机制来识别恶意程序。这种对数据的篡改和伪造起到了数据遮蔽的作用,类似于对攻击信息进行了加密或混淆,增加了追踪和识别的难度,使防御者难以看透攻击的本质。

Procedure Examples

ID Name Description
G0001 Axiom

Axiom has used digital certificates to deliver malware.[1]

Mitigations

ID Mitigation Description
M1038 Execution Prevention

System settings can prevent applications from running that haven't been downloaded through the Apple Store (or other legitimate repositories) which can help mitigate some of these issues. Also enable application control solutions such as AppLocker and/or Device Guard to block the loading of malicious content.
M1028 Operating System Configuration

Windows Group Policy can be used to manage root certificates and the Flags value of HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots can be set to 1 to prevent non-administrator users from making further root installations into their own HKCU certificate store. [2]
M1026 Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.
M1024 Restrict Registry Permissions

Ensure proper permissions are set for Registry hives to prevent users from modifying keys related to SIP and trust provider components. Components may still be able to be hijacked to suitable functions already present on disk if malicious modifications to Registry keys are not prevented.
M1054 Software Configuration

HTTP Public Key Pinning (HPKP) is one method to mitigate potential Adversary-in-the-Middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. [3]

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Command monitoring may reveal malicious attempts to modify trust settings, such as the installation of root certificates or modifications to trust attributes/policies applied to files.
DS0022 File File Metadata

Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers.
File Modification

Periodically baseline registered SIPs and trust providers (Registry entries and files on disk), specifically looking for new, modified, or non-Microsoft entries.[4] Also analyze Autoruns data for oddities and anomalies, specifically malicious files attempting persistent execution by hiding within auto-starting locations. Autoruns will hide entries signed by Microsoft or Windows by default, so ensure "Hide Microsoft Entries" and "Hide Windows Entries" are both deselected.[4]

On macOS, the removal of the com.apple.quarantine flag by a user instead of the operating system is a suspicious action and should be examined further. Also monitor software update frameworks that may strip this flag when performing updates.
DS0011 Module Module Load

Enable CryptoAPI v2 (CAPI) event logging [5] to monitor and analyze error events related to failed trust validation (Event ID 81, though this event can be subverted by hijacked trust provider components) as well as any other provided information events (ex: successful validations). Code Integrity event logging may also provide valuable indicators of malicious SIP or trust provider loads, since protected processes that attempt to load a maliciously-crafted trust validation component will likely fail (Event ID 3033). [4]
DS0009 Process Process Creation

Monitor processes and arguments for malicious attempts to modify trust settings, such as the installation of root certificates or modifications to trust attributes/policies applied to files.
DS0024 Windows Registry Windows Registry Key Creation

Monitoring the creation of (sub)keys within the Windows Registry may reveal malicious attempts to modify trust settings, such as the installation of root certificates. Installed root certificates are located in the Registry under HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\ and [HKLM or HKCU]\Software[\Policies]\Microsoft\SystemCertificates\Root\Certificates\. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison: [6]* 18F7C1FCC3090203FD5BAA2F861A754976C8DD25* 245C97DF7514E7CF2DF8BE72AE957B9E04741E85* 3B1EFD3A66EA28B16697394703A72CA340A05BD5* 7F88CD7223F3C813818C994614A89C99FA3B5247* 8F43288AD272F3103B6FB1428485EA3014C0BCFE* A43489159A520F0D93D032CCAF37E7FE20A8B419* BE36A4562FB2EE05DBB3D32323ADF445084ED656* CDD4EEAE6000AC7F40C3802C171E30148030C072
Windows Registry Key Modification

Monitoring changes to the Windows Registry may reveal malicious attempts to modify trust settings, such as the installation of root certificates. Installed root certificates are located in the Registry under HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\ and [HKLM or HKCU]\Software[\Policies]\Microsoft\SystemCertificates\Root\Certificates\. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison: [6] Also consider enabling the Registry Global Object Access Auditing [7] setting in the Advanced Security Audit policy to apply a global system access control list (SACL) and event auditing on modifications to Registry values (sub)keys related to SIPs and trust providers:[8]

References

  1. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  2. Graeber, M. (2017, December 22). Code Signing Certificate Cloning Attacks and Defenses. Retrieved April 3, 2018.
  3. Wikipedia. (2017, February 28). HTTP Public Key Pinning. Retrieved March 31, 2017.
  4. Graeber, M. (2017, September). Subverting Trust in Windows. Retrieved January 31, 2018.
  1. Entrust Datacard. (2017, August 16). How do I enable CAPI 2.0 logging in Windows Vista, Windows 7 and Windows 2008 Server?. Retrieved January 31, 2018.
  2. Smith, T. (2016, October 27). AppUNBlocker: Bypassing AppLocker. Retrieved December 19, 2017.
  3. Microsoft. (2016, August 31). Registry (Global Object Access Auditing). Retrieved January 31, 2018.
  4. Microsoft. (2012, July 2). Audit Registry. Retrieved January 31, 2018.