| ID | Name |
|---|---|
| T1685.001 | Disable or Modify Windows Event Log |
| T1685.002 | Disable or Modify Cloud Log |
| T1685.003 | Modify or Spoof Tool UI |
| T1685.004 | Disable or Modify Linux Audit System Log |
| T1685.005 | Clear Windows Event Logs |
| T1685.006 | Clear Linux or Mac System Logs |
Adversaries may spoof or manipulate security tool user interfaces (UIs) to falsely indicate tools are functioning normally and delay detection and response.
Adversaries may present misleading or falsified security tool interfaces (UIs) that display normal or healthy status indicators, even when underlying security tools have been disabled, degraded, or otherwise tampered with. Security tools typically provide visibility into system health, alerting, and operational status; by misrepresenting this information, adversaries can undermine defender trust in these signals and obscure the true security posture of the system.
This behavior is often used in conjunction with efforts to disable or modify tools, where adversaries first impair the functionality of defenses (e.g., EDR, logging agents) and then replace or mimic their interfaces to conceal the loss of visibility. By maintaining the appearance of normal operations, such as showing active protection, successful updates, or absence of threats, adversaries can delay investigation and response, enabling continued malicious activity.
For example, adversaries may display a fake Windows Security interface or system tray icon indicating a "protected" or "healthy" state after disabling Windows Defender or related services.[1]
| ID | Name | Description |
|---|---|---|
| S9014 | PHASEJAM |
PHASEJAM has prevented legitimate Ivanti Connect Secure system upgrades by intercepting the upgrade command and rendering fake HTML upgrade progress bar through a function called |
| ID | Mitigation | Description |
|---|---|---|
| M1038 | Execution Prevention |
Use application controls to mitigate installation and use of payloads that may be utilized to spoof security alerting. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0311 | Detection for Spoofing Tool UI across OS Platforms | AN0868 |
Detection of inconsistencies between reported sensor health and actual process/service state. For example, Windows Defender tray icon/UI showing healthy status while corresponding Defender services (WinDefend, MsMpEng) are stopped or disabled. Correlates process creation events with missing or terminated security processes and spoofed health events. |
| AN0869 |
Monitoring for discrepancies between system daemon/service state and reported health messages (e.g., syslog shows AV/IDS daemon stopped, but spoofed messages claim it is still running). Detects userland processes impersonating AV/IDS command-line outputs or modifying log forwarding configurations. |
||
| AN0870 |
Detection of fake or spoofed macOS Security & Privacy GUIs showing healthy status after XProtect, Gatekeeper, or AV processes are disabled. Correlates user-space UI process creation with terminated or missing security daemons. |