MITRE ATT&CK Technique
Description
Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity.(Citation: BlackBasta) Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident. Rather than or in addition to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), an adversary can spoof positive affirmations that security tools are continuing to function even after legitimate security tools have been disabled (e.g., [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)). An adversary can also present a “healthy” system status even after infection. This can be abused to enable further malicious activity by delaying defender responses. For example, adversaries may show a fake Windows Security GUI and tray icon with a “healthy” system status after Windows Defender and other system tools have been disabled.(Citation: BlackBasta)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2023-03-14T16:04:24.865Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may spoof security alerting from tools, '
'presenting false evidence to impair defenders’ awareness of '
'malicious activity.(Citation: BlackBasta) Messages produced '
'by defensive tools contain information about potential '
'security events as well as the functioning status of security '
'software and the system. Security reporting messages are '
'important for monitoring the normal operation of a system and '
'identifying important events that can signal a security '
'incident.\n'
'\n'
'Rather than or in addition to [Indicator '
'Blocking](https://attack.mitre.org/techniques/T1562/006), an '
'adversary can spoof positive affirmations that security tools '
'are continuing to function even after legitimate security '
'tools have been disabled (e.g., [Disable or Modify '
'Tools](https://attack.mitre.org/techniques/T1562/001)). An '
'adversary can also present a “healthy” system status even '
'after infection. This can be abused to enable further '
'malicious activity by delaying defender responses.\n'
'\n'
'For example, adversaries may show a fake Windows Security GUI '
'and tray icon with a “healthy” system status after Windows '
'Defender and other system tools have been disabled.(Citation: '
'BlackBasta)',
'external_references': [{'external_id': 'T1562.011',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1562/011'},
{'description': 'Antonio Cocomazzi and Antonio '
'Pirozzi. (2022, November 3). Black '
'Basta Ransomware | Attacks Deploy '
'Custom EDR Evasion Tools Tied to '
'FIN7 Threat Actor. Retrieved March '
'14, 2023.',
'source_name': 'BlackBasta',
'url': 'https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/'}],
'id': 'attack-pattern--bef8aaee-961d-4359-a308-4c2182bcedff',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-04-15T23:12:05.813Z',
'name': 'Spoof Security Alerting',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Menachem Goldstein'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows', 'macOS', 'Linux'],
'x_mitre_version': '1.0'}