AN2045: Analytic 2045
Unauthorized messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Unauthorized messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for benign reasons. Monitor messages for changes in how they are constructed.
Monitor for anomalous or unexpected messages that may result in changes to the process operation observable via asset application logs (e.g., discrete write, logic and device configuration, mode changes, safety triggers).
Consider monitoring for Rogue Master and Adversary-in-the-Middle activity which may precede this technique.
Analyst context for executives and security teams
AN2045 is an ICS detection analytic focused on spotting unauthorized or unexpected automation-protocol messages by inspecting message content, construction, and resulting process/application behavior. Its business value is that malformed or unexpected control messages can be an early sign of activity that may affect process operation, configuration, modes, or safety-related triggers. For executives and security leaders, the decision point is whether the organization has enough visibility into industrial protocol traffic and asset application logs to distinguish expected operational changes from suspicious messages before they become an operational resilience issue.
Executive priority
Prioritize this as an OT/ICS monitoring and resilience question rather than a standalone alert. Leaders should ask whether SOC and OT teams can validate expected protocol values, compare network messages with independent process data sources, and review asset logs for discrete writes, logic or device configuration changes, mode changes, and safety triggers. This supports incident decision-making, audit evidence for monitoring controls, and cyber-physical risk management, especially where unauthorized messages could influence process operations.
Technical view
For SOC, detection engineering, and incident response teams, the supplied ATT&CK analytic points to content inspection of automation protocols and correlation with out-of-band process data and asset application logs. Validate whether monitoring can identify anomalous message construction, unexpected values, malformed traffic, and process-impacting events such as discrete writes, configuration changes, mode changes, or safety triggers. Because malformed traffic can occur for benign reasons, tune detections with OT engineering context and expected operational baselines. The description also recommends considering activity associated with Rogue Master (T0848) and Adversary-in-the-Middle (T0830) as possible preceding context, but no relationships are supplied for this object.
Likely telemetry
- Automation protocol message content and field values
- Network traffic showing malformed or unexpectedly constructed automation messages
- Out-of-band process data sources used to compare expected process state against observed messages
- Asset application logs
- Events for discrete writes
Detection direction
- Validate that ICS protocol monitoring can compare messages against expected values and known-good construction patterns.
- Correlate automation messages with independent process data where available to identify messages inconsistent with process state.
- Monitor asset application logs for operational changes that could reflect unauthorized messages, including writes, configuration changes, mode changes, and safety triggers.
- Treat malformed traffic carefully: it may be suspicious, but benign causes are explicitly possible, so triage should include operational context and change windows.
- Review whether monitoring for Rogue Master (T0848) and Adversary-in-the-Middle (T0830) activity provides useful preceding context, while recognizing no explicit relationship context was supplied with this analytic.
Mitigation priorities
- Establish and maintain baselines for expected automation-protocol values, message structures, and normal process-operation changes.
- Ensure OT asset logging and process data sources are available to defenders and retained long enough to support incident response.
- Coordinate SOC detection tuning with OT engineering teams so alerts reflect legitimate operating modes, maintenance activity, and approved configuration changes.
- Use this analytic to drive control validation: confirm visibility exists before relying on detections for compliance, resilience, or incident response evidence.
- Document known benign malformed traffic patterns and approved operational exceptions to reduce false positives without suppressing meaningful anomalies.
Analyst notes and limits
This object is a detection analytic in the ICS ATT&CK domain with no platform, tactic, or relationship data supplied. The strongest defensive interpretation is visibility validation: whether teams can inspect automation messages, compare them to expected values or out-of-band process data, and correlate them with asset application logs. The official text notes Rogue Master and Adversary-in-the-Middle as activity to consider as possible preceding context.
No official detection field, platforms, tactics, labels, aliases, or relationship context were provided. This take does not assert active exploitation, actor attribution, impact, or existing detection coverage. Local protocol details, asset inventory, process baselines, and OT engineering input are required to turn this analytic into reliable detections.
Analytic 2045
Unauthorized messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Unauthorized messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for benign reasons. Monitor messages for changes in how they are constructed.
Monitor for anomalous or unexpected messages that may result in changes to the process operation observable via asset application logs (e.g., discrete write, logic and device configuration, mode changes, safety triggers).
Consider monitoring for Rogue Master and Adversary-in-the-Middle activity which may precede this technique.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 28c331dd9649… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN2045Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.