Description
Adversaries may spoof or manipulate security tool user interfaces (UIs) to falsely indicate tools are functioning normally and delay detection and response.
Adversaries may present misleading or falsified security tool interfaces (UIs) that display normal or healthy status indicators, even when underlying security tools have been disabled, degraded, or otherwise tampered with. Security tools typically provide visibility into system health, alerting, and operational status; by misrepresenting this information, adversaries can undermine defender trust in these signals and obscure the true security posture of the system.
This behavior is often used in conjunction with efforts to disable or modify tools, where adversaries first impair the functionality of defenses (e.g., EDR, logging agents) and then replace or mimic their interfaces to conceal the loss of visibility. By maintaining the appearance of normal operations, such as showing active protection, successful updates, or absence of threats, adversaries can delay investigation and response, enabling continued malicious activity.
For example, adversaries may display a fake Windows Security interface or system tray icon indicating a “protected” or “healthy” state after disabling Windows Defender or related services.(Citation: BlackBasta)
Platforms
Mitigations (1)
Execution PreventionM1038
Use application controls to mitigate installation and use of payloads that may be utilized to spoof security alerting.
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S9014 | PHASEJAM | Malware | [PHASEJAM](https://attack.mitre.org/software/S9014) has prevented legitimate Ivanti Connect Secure system upgrades by intercepting the upgrade command... |
References
Frequently Asked Questions
What is T1685.003 (Modify or Spoof Tool UI)?
T1685.003 is a MITRE ATT&CK technique named 'Modify or Spoof Tool UI'. It belongs to the Defense Impairment tactic(s). Adversaries may spoof or manipulate security tool user interfaces (UIs) to falsely indicate tools are functioning normally and delay detection and response. Adversaries may present misleading or fal...
How can T1685.003 be detected?
Detection of T1685.003 (Modify or Spoof Tool UI) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1685.003?
There are 1 documented mitigations for T1685.003. Key mitigations include: Execution Prevention.
Which threat groups use T1685.003?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.