T1562.011

Spoof Security Alerting

Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders' awareness of malicious activity. Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Rather than or in addition to Indicator Blocking, an adversary can spoof positive affirmations that security tools are continuing to function even after legitimate security tools have been disabled. An adversary can also present a 'healthy' system status even after infection. For example, adversaries may show a fake Windows Security GUI and tray icon with a 'healthy' system status after Windows Defender and other system tools have been disabled. This technique was observed in Black Basta ransomware campaigns using custom EDR evasion tools tied to FIN7.

Microsoft Sentinel / Defender

kusto

let SecurityTrayProcesses = dynamic([
  "SecurityHealthSystray.exe", "SecurityHealthHost.exe",
  "MSASCuiL.exe", "NisSrv.exe"
]);
let DefenderServiceNames = dynamic([
  "WinDefend", "SecurityHealthService",
  "wscsvc", "Sense", "WdNisSvc"
]);
union
(
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where FileName in~ (SecurityTrayProcesses)
  | where not(FolderPath startswith "C:\\Windows\\System32" or FolderPath startswith "C:\\Program Files\\Windows Defender" or FolderPath startswith "C:\\ProgramData\\Microsoft\\Windows Defender")
  | project Timestamp, DeviceName, AccountName, FileName, FolderPath,
           ProcessCommandLine, InitiatingProcessFileName,
           SHA256, DetectionType="FakeSecurityProcess_WrongPath"
),
(
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where ProcessCommandLine has_any ("SecurityHealth", "Windows Defender", "WindowsSecurity")
  | where FileName !in~ (SecurityTrayProcesses)
  | where FileName !in~ ("MsMpEng.exe", "svchost.exe", "services.exe")
  | project Timestamp, DeviceName, AccountName, FileName, FolderPath,
           ProcessCommandLine, InitiatingProcessFileName,
           SHA256, DetectionType="SpoofedSecurityUI"
),
(
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where ProcessCommandLine has_any ("sc stop WinDefend", "sc stop SecurityHealthService", "sc stop wscsvc", "Set-MpPreference -DisableRealtimeMonitoring", "sc config WinDefend start= disabled")
  | project Timestamp, DeviceName, AccountName, FileName,
           ProcessCommandLine, InitiatingProcessFileName,
           InitiatingProcessCommandLine,
           DetectionType="DefenderServiceDisabled"
)
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sensor Health: Host Status Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Third-party security tools (Norton, McAfee, Bitdefender) that may reference 'Windows Security' or 'SecurityHealth' strings in their own process command lines for integration purposes
System administrators legitimately stopping Windows Defender services during installation of an alternative AV product as part of a documented migration
Portable security scanning tools run from USB or temporary directories that contain 'Defender' or 'Security' in their file names
Windows Update or feature updates that temporarily restart SecurityHealthService from a staging directory before moving files to their final location

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*SecurityHealthSystray.exe" OR Image="*SecurityHealthHost.exe" OR Image="*MSASCuiL.exe")
  NOT (Image="C:\\Windows\\System32\\*" OR Image="C:\\Program Files\\Windows Defender\\*" OR Image="C:\\ProgramData\\Microsoft\\Windows Defender\\*")
| eval DetectionType="FakeSecurityProcess_WrongPath"
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, Hashes, DetectionType
| sort - _time
| append [
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (CommandLine="*sc stop WinDefend*" OR CommandLine="*sc stop SecurityHealthService*" OR CommandLine="*sc stop wscsvc*" OR CommandLine="*DisableRealtimeMonitoring*" OR CommandLine="*sc config WinDefend start= disabled*")
  | eval DetectionType="DefenderServiceDisabled"
  | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionType
  | sort - _time
]
| append [
  search index=wineventlog sourcetype="WinEventLog:System" EventCode=7036
    (Message="*Windows Defender*" OR Message="*Security Center*" OR Message="*SecurityHealthService*")
    Message="*stopped*"
  | eval DetectionType="SecurityServiceStopped"
  | table _time, host, Message, DetectionType
  | sort - _time
]

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Service: Service Metadata Sysmon Event ID 1 Windows System Event Log

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:System

False Positives

Third-party security tools that reference Windows Security strings in their command lines for integration
Administrators legitimately stopping Defender during alternative AV product installation
Windows servicing operations that temporarily stop and restart security services during feature updates
Security product uninstallation workflows that stop services before removing binaries

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(deviceTime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
       sourceip,
       username,
       "Application" AS process_name,
       "Command" AS command_line,
       QIDNAME(qid) AS event_name,
       LOGSOURCENAME(logsourceid) AS log_source,
       CASE
         WHEN LOWER("Application") IN ('securityhealthsystray.exe','securityhealthhost.exe','msascuil.exe','nisSrv.exe')
              AND NOT ("FilePath" LIKE 'C:\Windows\System32%'
                    OR "FilePath" LIKE 'C:\Program Files\Windows Defender%'
                    OR "FilePath" LIKE 'C:\ProgramData\Microsoft\Windows Defender%')
           THEN 'FakeSecurityProcess_WrongPath'
         WHEN ("Command" ILIKE '%SecurityHealth%' OR "Command" ILIKE '%Windows Defender%' OR "Command" ILIKE '%WindowsSecurity%')
              AND LOWER("Application") NOT IN ('securityhealthsystray.exe','securityhealthhost.exe','msascuil.exe','nisSrv.exe','msmpeng.exe','svchost.exe','services.exe')
           THEN 'SpoofedSecurityUI'
         WHEN ("Command" ILIKE '%sc stop WinDefend%'
            OR "Command" ILIKE '%sc stop SecurityHealthService%'
            OR "Command" ILIKE '%sc stop wscsvc%'
            OR "Command" ILIKE '%DisableRealtimeMonitoring%'
            OR "Command" ILIKE '%sc config WinDefend start= disabled%')
           THEN 'DefenderServiceDisabled'
         ELSE 'Unknown'
       END AS detection_type
FROM events
WHERE LOGSOURCETYPEID IN (12, 13)
  AND deviceTime > DATEADD('hour', -24, NOW())
  AND (
    (
      LOWER("Application") IN ('securityhealthsystray.exe','securityhealthhost.exe','msascuil.exe','nisSrv.exe')
      AND NOT ("FilePath" LIKE 'C:\Windows\System32%'
            OR "FilePath" LIKE 'C:\Program Files\Windows Defender%'
            OR "FilePath" LIKE 'C:\ProgramData\Microsoft\Windows Defender%')
    ) OR
    (
      ("Command" ILIKE '%SecurityHealth%' OR "Command" ILIKE '%Windows Defender%' OR "Command" ILIKE '%WindowsSecurity%')
      AND LOWER("Application") NOT IN ('securityhealthsystray.exe','securityhealthhost.exe','msascuil.exe','nisSrv.exe','msmpeng.exe','svchost.exe','services.exe')
    ) OR
    (
      "Command" ILIKE '%sc stop WinDefend%'
      OR "Command" ILIKE '%sc stop SecurityHealthService%'
      OR "Command" ILIKE '%sc stop wscsvc%'
      OR "Command" ILIKE '%DisableRealtimeMonitoring%'
      OR "Command" ILIKE '%sc config WinDefend start= disabled%'
    )
  )
ORDER BY deviceTime DESC

critical severity high confidence

Data Sources

Windows Security Event Log Sysmon Operational Log

Required Tables

events

False Positives

Portable or USB-deployed endpoint security tools that ship Defender-named executables outside standard system paths
Endpoint management platforms (SCCM, Intune) running sc.exe commands to reconfigure Defender as part of policy enforcement
Red team or penetration testing engagements executing Defender evasion commands on authorized targets

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| parse "EventCode=*" as event_code nodrop
| parse "Image=*" as process_image nodrop
| parse "CommandLine=*" as command_line nodrop
| parse "ParentImage=*" as parent_image nodrop
| parse "User=*" as user nodrop
| parse "Computer=*" as host nodrop
| where event_code = "1"
| eval process_name = replace(process_image, /.*\\/, "")
| eval is_fake_path = if(
    (process_name matches /(?i)SecurityHealthSystray\.exe|SecurityHealthHost\.exe|MSASCuiL\.exe|NisSrv\.exe/)
    AND NOT (process_image matches /(?i)C:\\Windows\\System32|C:\\Program Files\\Windows Defender|C:\\ProgramData\\Microsoft\\Windows Defender/),
    1, 0)
| eval is_spoofed_ui = if(
    (command_line matches /(?i)SecurityHealth|Windows Defender|WindowsSecurity/)
    AND NOT (process_name matches /(?i)SecurityHealthSystray\.exe|SecurityHealthHost\.exe|MSASCuiL\.exe|NisSrv\.exe|MsMpEng\.exe|svchost\.exe|services\.exe/),
    1, 0)
| eval is_defender_disabled = if(
    command_line matches /(?i)sc stop WinDefend|sc stop SecurityHealthService|sc stop wscsvc|DisableRealtimeMonitoring|sc config WinDefend start= disabled/,
    1, 0)
| where is_fake_path = 1 OR is_spoofed_ui = 1 OR is_defender_disabled = 1
| eval detection_type = if(is_fake_path = 1, "FakeSecurityProcess_WrongPath",
    if(is_spoofed_ui = 1, "SpoofedSecurityUI",
    if(is_defender_disabled = 1, "DefenderServiceDisabled", "Unknown")))
| table _messageTime, host, user, process_image, command_line, parent_image, detection_type
| sort by _messageTime desc

critical severity high confidence

Data Sources

Windows Sysmon Operational Windows Security Event Log

Required Tables

windows/sysmon windows/security

False Positives

Backup and recovery software that bundles Defender-named helper executables that run from non-standard installation directories
IT automation scripts that temporarily stop Defender services before running enterprise software deployments
Security research sandboxes that deliberately replicate defender process names for behavioral analysis purposes

Google Chronicle / SecOps

yaral

rule t1562_011_spoof_security_alerting {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1562.011 Spoof Security Alerting — fake Windows Security GUIs and Defender service disablement. Observed in Black Basta ransomware via FIN7-linked EDR evasion tools."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1562.011"
    severity = "CRITICAL"
    priority = "HIGH"
    created = "2026-04-21"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and (
        (
          (
            re.regex($e.target.process.file.full_path, `(?i)(SecurityHealthSystray\.exe|SecurityHealthHost\.exe|MSASCuiL\.exe|NisSrv\.exe)$`)
          )
          and not (
            re.regex($e.target.process.file.full_path, `(?i)^C:\\Windows\\System32\\`) or
            re.regex($e.target.process.file.full_path, `(?i)^C:\\Program Files\\Windows Defender\\`) or
            re.regex($e.target.process.file.full_path, `(?i)^C:\\ProgramData\\Microsoft\\Windows Defender\\'`)
          )
        ) or
        (
          re.regex($e.target.process.command_line, `(?i)(SecurityHealth|Windows Defender|WindowsSecurity)`) and
          not re.regex($e.target.process.file.full_path, `(?i)(SecurityHealthSystray\.exe|SecurityHealthHost\.exe|MSASCuiL\.exe|NisSrv\.exe|MsMpEng\.exe|svchost\.exe|services\.exe)$`)
        ) or
        (
          re.regex($e.target.process.command_line, `(?i)(sc stop WinDefend|sc stop SecurityHealthService|sc stop wscsvc|DisableRealtimeMonitoring|sc config WinDefend start= disabled)`)
        )
      )
    )

  condition:
    $e
}

critical severity high confidence

Data Sources

Windows Endpoint Detection Sysmon via Chronicle forwarder

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives

Enterprise endpoint management solutions that temporarily stage or run Defender-related binaries from temp directories during update or remediation workflows
Custom security dashboards or monitoring tools that invoke Defender command-line interfaces from non-standard script directories
Incident response toolkits that collect Defender status by calling sc.exe with Defender service names for forensic triage

CrowdStrike LogScale (CQL)

cql

// T1562.011 — Spoof Security Alerting: Fake Defender GUIs and Service Disablement
#event_simpleName=ProcessRollup2
| FileName = /(?i)(SecurityHealthSystray\.exe|SecurityHealthHost\.exe|MSASCuiL\.exe|NisSrv\.exe|MsMpEng\.exe)/
  OR CommandLine = /(?i)(SecurityHealth|Windows Defender|WindowsSecurity|sc stop WinDefend|sc stop SecurityHealthService|sc stop wscsvc|DisableRealtimeMonitoring|sc config WinDefend start= disabled)/
| eval DetectionType = case(
    FileName = /(?i)(SecurityHealthSystray\.exe|SecurityHealthHost\.exe|MSASCuiL\.exe|NisSrv\.exe)/
    AND ImageFileName != /(?i)(C:\\Windows\\System32|C:\\Program Files\\Windows Defender|C:\\ProgramData\\Microsoft\\Windows Defender)/,
    "FakeSecurityProcess_WrongPath",
    CommandLine = /(?i)(SecurityHealth|Windows Defender|WindowsSecurity)/
    AND FileName != /(?i)(SecurityHealthSystray\.exe|SecurityHealthHost\.exe|MSASCuiL\.exe|NisSrv\.exe|MsMpEng\.exe|svchost\.exe|services\.exe)/,
    "SpoofedSecurityUI",
    CommandLine = /(?i)(sc stop WinDefend|sc stop SecurityHealthService|sc stop wscsvc|DisableRealtimeMonitoring|sc config WinDefend start= disabled)/,
    "DefenderServiceDisabled",
    true, null)
| where DetectionType != null
| groupBy([ComputerName, UserName, FileName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType], function=count(as=EventCount))
| sort(EventCount, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Falcon ProcessRollup2 events

Required Tables

ProcessRollup2

False Positives

BYOVD (Bring Your Own Vulnerable Driver) detection tools that enumerate Defender process names from arbitrary working directories during threat hunting exercises
Software packaging systems that temporarily extract and stage Defender-named helper binaries to temp paths before installation validation
Corporate SOC scripts using sc.exe to audit Defender service state across endpoints during incident triage — flagged due to keyword overlap with attacker commands

Last updated: 2026-04-21 Research depth: deep

References (5)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1562.011 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Spoof Security Alerting

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections