| ID | Name |
|---|---|
| ATAGS-T1107.001 | Code Signing |
| ATAGS-T1107.002 | Code Signing Policy Modification |
| ATAGS-T1107.003 | Gatekeeper Bypass |
| ATAGS-T1107.004 | Install Root Certificate |
| ATAGS-T1107.005 | Mark-of-the-Web Bypass |
| ATAGS-T1107.006 | SIP and Trust Provider Hijacking |
Threat Actors may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.