Impair Defenses: Spoof Security Alerting

Other sub-techniques of Impair Defenses (13)

ID	Name
ATAGS-T1097.001	Triggering the clear mode
ATAGS-T1097.002	Disable or Modify Cloud Firewall
ATAGS-T1097.003	Disable or Modify Cloud Logs
ATAGS-T1097.004	Disable or Modify Linux Audit System
ATAGS-T1097.005	Disable or Modify Network Device Firewall
ATAGS-T1097.006	Disable or Modify System Firewall
ATAGS-T1097.007	Disable or Modify Tools
ATAGS-T1097.008	Disable Windows Event Logging
ATAGS-T1097.009	Downgrade Attack
ATAGS-T1097.010	Impair Command History Logging
ATAGS-T1097.011	Indicator Blocking
ATAGS-T1097.012	Safe Mode Boot
ATAGS-T1097.013	Spoof Security Alerting

Threat Actors may spoof security alerting from tools, presenting false evidence to impair defenders’ awareness of malicious activity. Messages produced by defensive tools contain information about potential security events as well as the functioning status of security software and the system. Security reporting messages are important for monitoring the normal operation of a system and identifying important events that can signal a security incident.

ID: ATAGS-T1097.013

Sub-technique of: ATAGS-T1097

ⓘ

Tactic: Defense Evasion

ⓘ

Targeted Components: Software

ⓘ

Responsibility: Provider

Created: 18 April 2026

Last Modified: 18 April 2026

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.