T1562.011: Spoof Security Alerting

Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity. Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident.

Rather than or in addition to Indicator Blocking, an adversary can spoof positive affirmations that security tools are continuing to function even after legitimate security tools have been disabled (e.g., Disable or Modify Tools). An adversary can also present a “healthy” system status even after infection. This can be abused to enable further malicious activity by delaying defender responses.

For example, adversaries may show a fake Windows Security GUI and tray icon with a “healthy” system status after Windows Defender and other system tools have been disabled.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

oracle_database: PT-CR-281: Oracle_Audit_Entry_Update: Modification of entries in an audit table oracle_database: PT-CR-280: Oracle_Audit_Entry_Insert: Insertion of entries to an audit table

Detection

ID	DS0013	Data source and component	Sensor Health: Host Status	Description	Monitor logging, messaging, and other artifacts highlighting the health of host sensors (e.g., metrics, errors, and/or exceptions from logging applications), especially correlating and comparing centralized telemetry against potentially suspicious notifications presented on individual systems.

ID	DS0009	Data source and component	Process: Process Creation	Description	Consider monitoring for suspicious processes that may be spoofing security tools and monitoring messages.

ID	Data source and component	Description
DS0013	Sensor Health: Host Status	Monitor logging, messaging, and other artifacts highlighting the health of host sensors (e.g., metrics, errors, and/or exceptions from logging applications), especially correlating and comparing centralized telemetry against potentially suspicious notifications presented on individual systems.
DS0009	Process: Process Creation	Consider monitoring for suspicious processes that may be spoofing security tools and monitoring messages.

Mitigation

ID	M1038	Name	Execution Prevention	Description	Use application controls to mitigate installation and use of payloads that may be utilized to spoof security alerting.

ID	Name	Description
M1038	Execution Prevention	Use application controls to mitigate installation and use of payloads that may be utilized to spoof security alerting.