1. Home
  2. Techniques
  3. Enterprise
  4. Impair Defenses
  5. Spoof Security Alerting

Impair Defenses: Spoof Security Alerting

ID Name
T1562.001 Disable or Modify Tools
T1562.002 Disable Windows Event Logging
T1562.003 Impair Command History Logging
T1562.004 Disable or Modify System Firewall
T1562.006 Indicator Blocking
T1562.007 Disable or Modify Cloud Firewall
T1562.008 Disable or Modify Cloud Logs
T1562.009 Safe Mode Boot
T1562.010 Downgrade Attack
T1562.011 Spoof Security Alerting
T1562.012 Disable or Modify Linux Audit System
T1562.013 Disable or Modify Network Device Firewall

Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.[1] Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident.

Rather than or in addition to Indicator Blocking, an adversary can spoof positive affirmations that security tools are continuing to function even after legitimate security tools have been disabled (e.g., Disable or Modify Tools). An adversary can also present a "healthy" system status even after infection. This can be abused to enable further malicious activity by delaying defender responses.

For example, adversaries may show a fake Windows Security GUI and tray icon with a "healthy" system status after Windows Defender and other system tools have been disabled.[1]

ID: T1562.011
Sub-technique of:  T1562
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Contributors: Menachem Goldstein
Version: 1.0
Created: 14 March 2023
Last Modified: 15 April 2025
Version Permalink

Mitigations

ID Mitigation Description
M1038 Execution Prevention

Use application controls to mitigate installation and use of payloads that may be utilized to spoof security alerting.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0311 Detection for Spoofing Security Alerting across OS Platforms AN0868

Detection of inconsistencies between reported sensor health and actual process/service state. For example, Windows Defender tray icon/UI showing healthy status while corresponding Defender services (WinDefend, MsMpEng) are stopped or disabled. Correlates process creation events with missing or terminated security processes and spoofed health events.
AN0869

Monitoring for discrepancies between system daemon/service state and reported health messages (e.g., syslog shows AV/IDS daemon stopped, but spoofed messages claim it is still running). Detects userland processes impersonating AV/IDS command-line outputs or modifying log forwarding configurations.
AN0870

Detection of fake or spoofed macOS Security & Privacy GUIs showing healthy status after XProtect, Gatekeeper, or AV processes are disabled. Correlates user-space UI process creation with terminated or missing security daemons.

References

  1. Antonio Cocomazzi and Antonio Pirozzi. (2022, November 3). Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor. Retrieved March 14, 2023.