T1562.011 Elastic Security · Elastic

Detect Spoof Security Alerting in Elastic Security

Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders' awareness of malicious activity. Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Rather than or in addition to Indicator Blocking, an adversary can spoof positive affirmations that security tools are continuing to function even after legitimate security tools have been disabled. An adversary can also present a 'healthy' system status even after infection. For example, adversaries may show a fake Windows Security GUI and tray icon with a 'healthy' system status after Windows Defender and other system tools have been disabled. This technique was observed in Black Basta ransomware campaigns using custom EDR evasion tools tied to FIN7.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1562 Impair Defenses
Sub-technique
T1562.011 Spoof Security Alerting
Canonical reference
https://attack.mitre.org/techniques/T1562/011/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name with maxspan=5m
[
  any where event.category == "process" and event.type == "start" and
  (
    (
      process.name in~ ("SecurityHealthSystray.exe", "SecurityHealthHost.exe", "MSASCuiL.exe", "NisSrv.exe") and
      not (
        process.executable : "C:\\Windows\\System32\\*" or
        process.executable : "C:\\Program Files\\Windows Defender\\*" or
        process.executable : "C:\\ProgramData\\Microsoft\\Windows Defender\\*"
      )
    ) or
    (
      process.args : ("*SecurityHealth*", "*Windows Defender*", "*WindowsSecurity*") and
      not process.name in~ ("SecurityHealthSystray.exe", "SecurityHealthHost.exe", "MSASCuiL.exe", "NisSrv.exe", "MsMpEng.exe", "svchost.exe", "services.exe")
    ) or
    (
      process.args : ("*sc stop WinDefend*", "*sc stop SecurityHealthService*", "*sc stop wscsvc*", "*DisableRealtimeMonitoring*", "*sc config WinDefend start= disabled*")
    )
  )
]
critical severity high confidence

Detects T1562.011 Spoof Security Alerting by identifying: (1) known Windows Security tray/host processes running from non-standard paths indicating spoofed security GUIs, (2) unexpected processes masquerading as security tools using defender-related keywords in command-line arguments, and (3) explicit commands to disable Windows Defender services. Observed in Black Basta ransomware campaigns using FIN7-linked EDR evasion tooling.

Data Sources

Windows Security EventsSysmonElastic Endpoint

Required Tables

logs-endpoint.events.process-*logs-windows.sysmon_operational-*

False Positives & Tuning

  • Legitimate third-party security software that references Windows Defender in its process arguments for integration or compatibility checks
  • System administrators running sc.exe commands to reconfigure Defender services during sanctioned maintenance windows
  • Security testing tools and vulnerability scanners that reference Defender processes as part of host enumeration
Download portable Sigma rule (.yml)

Other platforms for T1562.011

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Fake SecurityHealthSystray from TEMP Directory

    Expected signal: Sysmon Event ID 1: Process Create with Image pointing to %TEMP%\SecurityHealthSystray.exe instead of C:\Windows\System32\. Sysmon Event ID 11: File Create for the copied binary. DeviceProcessEvents in MDE shows FolderPath as the TEMP directory.

  2. Test 2Disable Windows Defender Real-Time Monitoring

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'Set-MpPreference -DisableRealtimeMonitoring'. PowerShell ScriptBlock Log Event ID 4104. Microsoft-Windows-Windows Defender/Operational Event ID 5001 (Real-Time Protection disabled). If Tamper Protection is on, Event ID 1125 (tamper attempt blocked).

  3. Test 3Stop Windows Defender Service via sc.exe

    Expected signal: Sysmon Event ID 1: Process Create with CommandLine 'sc stop WinDefend'. System Event ID 7036: WinDefend service entered stopped state. If Tamper Protection is on, the command will fail with Access Denied.

Last updated: 2026-04-21 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1562.011 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1562Impair Defenses

Related Sub-techniques

T1562.001Disable or Modify ToolsT1562.002Disable Windows Event LoggingT1562.003Impair Command History LoggingT1562.004Disable or Modify System FirewallT1562.006Indicator BlockingT1562.007Disable or Modify Cloud FirewallT1562.008Disable or Modify Cloud LogsT1562.009Safe Mode BootT1562.010Downgrade AttackT1562.012Disable or Modify Linux Audit SystemT1562.013Disable or Modify Network Device Firewall

Related Techniques

T1562Impair DefensesT1562.001Disable or Modify ToolsT1562.006Indicator BlockingT1036MasqueradingT1036.005Match Legitimate Resource Name or LocationT1112Modify RegistryT1543.003Windows ServiceT1489Service Stop

Same Tactic: Defense Evasion

Popular Detections