Detect Spoof Security Alerting in IBM QRadar
Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders' awareness of malicious activity. Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Rather than or in addition to Indicator Blocking, an adversary can spoof positive affirmations that security tools are continuing to function even after legitimate security tools have been disabled. An adversary can also present a 'healthy' system status even after infection. For example, adversaries may show a fake Windows Security GUI and tray icon with a 'healthy' system status after Windows Defender and other system tools have been disabled. This technique was observed in Black Basta ransomware campaigns using custom EDR evasion tools tied to FIN7.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1562 Impair Defenses
- Sub-technique
- T1562.011 Spoof Security Alerting
- Canonical reference
- https://attack.mitre.org/techniques/T1562/011/
QRadar Detection Query
SELECT DATEFORMAT(deviceTime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
sourceip,
username,
"Application" AS process_name,
"Command" AS command_line,
QIDNAME(qid) AS event_name,
LOGSOURCENAME(logsourceid) AS log_source,
CASE
WHEN LOWER("Application") IN ('securityhealthsystray.exe','securityhealthhost.exe','msascuil.exe','nisSrv.exe')
AND NOT ("FilePath" LIKE 'C:\Windows\System32%'
OR "FilePath" LIKE 'C:\Program Files\Windows Defender%'
OR "FilePath" LIKE 'C:\ProgramData\Microsoft\Windows Defender%')
THEN 'FakeSecurityProcess_WrongPath'
WHEN ("Command" ILIKE '%SecurityHealth%' OR "Command" ILIKE '%Windows Defender%' OR "Command" ILIKE '%WindowsSecurity%')
AND LOWER("Application") NOT IN ('securityhealthsystray.exe','securityhealthhost.exe','msascuil.exe','nisSrv.exe','msmpeng.exe','svchost.exe','services.exe')
THEN 'SpoofedSecurityUI'
WHEN ("Command" ILIKE '%sc stop WinDefend%'
OR "Command" ILIKE '%sc stop SecurityHealthService%'
OR "Command" ILIKE '%sc stop wscsvc%'
OR "Command" ILIKE '%DisableRealtimeMonitoring%'
OR "Command" ILIKE '%sc config WinDefend start= disabled%')
THEN 'DefenderServiceDisabled'
ELSE 'Unknown'
END AS detection_type
FROM events
WHERE LOGSOURCETYPEID IN (12, 13)
AND deviceTime > DATEADD('hour', -24, NOW())
AND (
(
LOWER("Application") IN ('securityhealthsystray.exe','securityhealthhost.exe','msascuil.exe','nisSrv.exe')
AND NOT ("FilePath" LIKE 'C:\Windows\System32%'
OR "FilePath" LIKE 'C:\Program Files\Windows Defender%'
OR "FilePath" LIKE 'C:\ProgramData\Microsoft\Windows Defender%')
) OR
(
("Command" ILIKE '%SecurityHealth%' OR "Command" ILIKE '%Windows Defender%' OR "Command" ILIKE '%WindowsSecurity%')
AND LOWER("Application") NOT IN ('securityhealthsystray.exe','securityhealthhost.exe','msascuil.exe','nisSrv.exe','msmpeng.exe','svchost.exe','services.exe')
) OR
(
"Command" ILIKE '%sc stop WinDefend%'
OR "Command" ILIKE '%sc stop SecurityHealthService%'
OR "Command" ILIKE '%sc stop wscsvc%'
OR "Command" ILIKE '%DisableRealtimeMonitoring%'
OR "Command" ILIKE '%sc config WinDefend start= disabled%'
)
)
ORDER BY deviceTime DESCQRadar AQL rule detecting T1562.011 Spoof Security Alerting across Windows endpoint log sources (Sysmon EventCode 1 process creation). Flags three behavioral patterns: security process executables running from non-standard file paths, non-defender processes referencing Windows Security keywords in command lines, and explicit service-control commands targeting WinDefend and related security services.
Data Sources
Required Tables
False Positives & Tuning
- Portable or USB-deployed endpoint security tools that ship Defender-named executables outside standard system paths
- Endpoint management platforms (SCCM, Intune) running sc.exe commands to reconfigure Defender as part of policy enforcement
- Red team or penetration testing engagements executing Defender evasion commands on authorized targets
Other platforms for T1562.011
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Fake SecurityHealthSystray from TEMP Directory
Expected signal: Sysmon Event ID 1: Process Create with Image pointing to %TEMP%\SecurityHealthSystray.exe instead of C:\Windows\System32\. Sysmon Event ID 11: File Create for the copied binary. DeviceProcessEvents in MDE shows FolderPath as the TEMP directory.
- Test 2Disable Windows Defender Real-Time Monitoring
Expected signal: Sysmon Event ID 1: Process Create with CommandLine containing 'Set-MpPreference -DisableRealtimeMonitoring'. PowerShell ScriptBlock Log Event ID 4104. Microsoft-Windows-Windows Defender/Operational Event ID 5001 (Real-Time Protection disabled). If Tamper Protection is on, Event ID 1125 (tamper attempt blocked).
- Test 3Stop Windows Defender Service via sc.exe
Expected signal: Sysmon Event ID 1: Process Create with CommandLine 'sc stop WinDefend'. System Event ID 7036: WinDefend service entered stopped state. If Tamper Protection is on, the command will fail with Access Denied.
References (5)
- https://attack.mitre.org/techniques/T1562/011/
- https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
- https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/
- https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection
- https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting/
Unlock Pro Content
Get the full detection package for T1562.011 including response playbook, investigation guide, and atomic red team tests.