title: Spoof Security Alerting (T1562.011) id: df00tech-t1562-011 status: experimental description: "Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders' awareness of malicious activity. Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Rather than or in addition to Indicator Blocking, an adversary can spoof positive affirmations that security tools are continuing to function even after legitimate security tools have been disabled. An adversary can also present a 'healthy' system status even after infection. For example, adversaries may show a fake Windows Security GUI and tray icon with a 'healthy' system status after Windows Defender and other system tools have been disabled. This technique was observed in Black Basta ransomware campaigns using custom EDR evasion tools tied to FIN7." references: - https://attack.mitre.org/techniques/T1562/011/ - https://df00tech.com/detections/T1562.011 author: df00tech date: 2026/04/21 tags: - attack.t1562.011 # NOTE: logsource is auto-derived and may need adjustment for your environment logsource: category: process_creation product: windows detection: # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech. selection: EventID: '*' condition: selection falsepositives: - "Third-party security tools (Norton, McAfee, Bitdefender) that may reference 'Windows Security' or 'SecurityHealth' strings in their own process command lines for integration purposes" - System administrators legitimately stopping Windows Defender services during installation of an alternative AV product as part of a documented migration - "Portable security scanning tools run from USB or temporary directories that contain 'Defender' or 'Security' in their file names" - Windows Update or feature updates that temporarily restart SecurityHealthService from a staging directory before moving files to their final location level: high