Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1685.003: Modify or Spoof Tool UI

Adversaries may spoof or manipulate security tool user interfaces (UIs) to falsely indicate tools are functioning normally and delay detection and response.

Adversaries may present misleading or falsified security tool interfaces (UIs) that display normal or healthy status indicators, even when underlying security tools have been disabled, degraded, or otherwise tampered with. Security tools typically provide visibility into system health, alerting, and operational status; by misrepresenting this information, adversaries can undermine defender trust in these signals and obscure the true security posture of the system.

This behavior is often used in conjunction with efforts to disable or modify tools, where adversaries first impair the functionality of defenses (e.g., EDR, logging agents) and then replace or mimic their interfaces to conceal the loss of visibility. By maintaining the appearance of normal operations, such as showing active protection, successful updates, or absence of threats, adversaries can delay investigation and response, enabling continued malicious activity.

For example, adversaries may display a fake Windows Security interface or system tray icon indicating a “protected” or “healthy” state after disabling Windows Defender or related services.[1]

EnterpriseT1685.003Sub-techniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Modify or Spoof Tool UI matters because it attacks defender trust. An endpoint or security appliance may appear healthy to an operator while the underlying protection, logging, or update mechanism has been disabled or degraded. For leaders, the risk is delayed incident recognition and false confidence in control status, especially during ransomware-style or defense-impairment activity.

Executive priority

Treat this as an assurance problem, not just a malware behavior. Ask whether security tool health shown to analysts is independently verified by backend telemetry, service state, and log flow. This technique should influence resilience planning, SOC quality checks, compliance evidence for monitoring controls, and incident response playbooks for suspected tool tampering across Linux, macOS, and Windows environments.

Technical view

This sub-technique sits under Disable or Modify Tools and is in the defense-impairment tactic. SOC and IR teams should validate that a 'healthy' local UI or tray indicator is not the sole evidence of protection. Compare user-facing status with backend management console state, running services/processes, update status, configuration integrity, and recent telemetry delivery. ATT&CK does not provide detection text for this object, but it links DET0311, 'Detection for Spoofing Tool UI across OS Platforms,' indicating that detection should focus on cross-checking UI claims against independent system and tool evidence.

Likely telemetry

  • Endpoint security tool service and process state
  • Security agent health and check-in status from centralized management
  • Endpoint logs showing protection status, update status, errors, or tamper events
  • Operating system event logs related to service stop, process termination, configuration changes, or startup changes
  • File integrity or metadata for security tool UI components, icons, shortcuts, or replacement binaries

Detection direction

  • Correlate local UI-reported health with independent backend agent status and recent telemetry arrival.
  • Alert on mismatches such as a healthy UI while services are stopped, updates are failing, logs are absent, or management-console check-ins have stopped.
  • Tune for legitimate maintenance, software upgrades, agent repair workflows, and user interface caching to reduce false positives.
  • Use the relationship to T1685 to look for nearby defense-impairment activity, including stopped services, killed processes, modified configuration, deleted logs, or blocked updates.
  • Account for the revoked predecessor T1562.011 when mapping older content or reports to this current technique ID.

Mitigation priorities

  • Prioritize M1038 Execution Prevention so unauthorized or malicious code that replaces, mimics, or launches spoofed security interfaces is less likely to run.
  • Use application control and script blocking policies appropriate to the operating system and administrative model.
  • Protect security tool components and configuration from unauthorized modification through standard hardening and change-control practices.
  • Require independent health validation in SOC and IR procedures rather than relying on local UI indicators alone.
  • During incidents, verify agent function by checking backend telemetry, service state, and recent event flow before trusting endpoint-visible status.
Analyst notes and limits

The most important defensive question is whether the organization can prove its tools are functioning from independent evidence. This technique is especially material when paired with broader tool disabling or modification. The supplied relationships include PHASEJAM as software using this behavior and a BlackBasta reference as the citation source, but this take does not infer current activity, attribution, or customer exposure from those references.

The official ATT&CK object provides no detection procedure and only one mitigation relationship. Telemetry names and validation steps are derived from the described behavior and related parent technique context, so teams must confirm applicability against their actual security tools, operating systems, logging architecture, and change-management practices.

Official MITRE ATT&CK definition

Modify or Spoof Tool UI

Adversaries may spoof or manipulate security tool user interfaces (UIs) to falsely indicate tools are functioning normally and delay detection and response.

Adversaries may present misleading or falsified security tool interfaces (UIs) that display normal or healthy status indicators, even when underlying security tools have been disabled, degraded, or otherwise tampered with. Security tools typically provide visibility into system health, alerting, and operational status; by misrepresenting this information, adversaries can undermine defender trust in these signals and obscure the true security posture of the system.

This behavior is often used in conjunction with efforts to disable or modify tools, where adversaries first impair the functionality of defenses (e.g., EDR, logging agents) and then replace or mimic their interfaces to conceal the loss of visibility. By maintaining the appearance of normal operations, such as showing active protection, successful updates, or absence of threats, adversaries can delay investigation and response, enabling continued malicious activity.

For example, adversaries may display a fake Windows Security interface or system tray icon indicating a “protected” or “healthy” state after disabling Windows Defender or related services.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1685 Disable or Modify Tools This object subtechnique of Disable or Modify Tools.
Enterprise T1562.011 Spoof Security Alerting Sub-technique Spoof Security Alerting revoked by this object.
Associated objects

Groups, software, and campaigns

Malware Enterprise

S9014: PHASEJAM

PHASEJAM is a dropper written as a bash shell script that modifies Ivanti Connect Secure appliance components. PHASEJAM was first reported in January 2025. PHASEJAM has previously been leveraged by People's Republic of China (PRC)- affiliated actors identified as UNC5221 and SYLVANITE.[1][2]

LinuxNetwork Devices
Relationship explorer

All related ATT&CK context

detects · Detection Strategy DET0311: Detection for Spoofing Tool UI across OS Platforms Enterprise subtechnique of · Technique T1685: Disable or Modify Tools Enterprise uses · Malware S9014: PHASEJAM Enterprise revoked by · Technique T1562.011: Spoof Security Alerting Enterprise mitigates · Mitigation M1038: Execution Prevention Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1038: Execution Prevention

Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures:

Application Control:

- Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution. - Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml"`)

Script Blocking:

- Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources. - Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., `Set-ExecutionPolicy AllSigned`)

Executable Blocking:

- Use Case: Prevent execution of binaries from suspicious locations, such as `%TEMP%` or `%APPDATA%` directories. - Implementation: Block execution of `.exe`, `.bat`, or `.ps1` files from user-writable directories.

Dynamic Analysis Prevention: - Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time. - Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
279f8e2f5bfc573d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 279f8e2f5bfc…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    BlackBasta

    Antonio Cocomazzi and Antonio Pirozzi. (2022, November 3). Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor. Retrieved March 14, 2023.

    Open source URL
  2. [2]
    mitre-attack T1685.003
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use