Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0730: Detection of Supply Chain Compromise

DET0730 is a detection strategy entry for identifying Supply Chain Compromise in ICS contexts. Its practical value is that compromised products, software,...

ICSDET0730Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0730 is a detection strategy entry for identifying Supply Chain Compromise in ICS contexts. Its practical value is that compromised products, software, or delivery workflows can introduce risk before the asset ever reaches operations, making normal perimeter monitoring insufficient. For leaders, this is a governance and resilience issue: detection depends on whether procurement, engineering, OT operations, SOC, and incident response can connect supplier-origin evidence with changes observed in the control systems environment.

Executive priority

Treat this as a priority for operational resilience and third-party risk validation rather than only a SOC rule-writing problem. Executives should ask whether the organization can prove what software, devices, updates, and vendor workflows are trusted before they enter ICS environments, and whether there is an incident decision process for isolating or investigating supplier-provided components when compromise is suspected. This also supports audit and compliance evidence around supplier assurance, change control, asset integrity, and incident readiness.

Technical view

The supplied ATT&CK object does not provide specific platforms, tactics, or detection logic. The relationship context shows that DET0730 detects ICS technique T0862: Supply Chain Compromise, involving manipulation of products, software, devices, or delivery mechanisms before receipt by the end consumer. SOC, OT, and IR teams should therefore validate whether they can correlate supply-chain events with environment-side changes, including new or modified software, firmware, devices, update packages, vendor-delivered media, remote maintenance workflows, and unexpected behavior after installation or update. Detection engineering should focus on integrity validation, change-control exceptions, asset provenance, and investigation workflows rather than assuming a single log source will identify the behavior.

Likely telemetry

  • Asset inventory and configuration baselines for ICS devices, software, firmware, and engineering workstations
  • Change-management and maintenance records for installations, updates, vendor activity, and acceptance testing
  • Software, firmware, package, and device integrity evidence such as hashes, signatures, approved versions, and provenance records
  • Network and host telemetry showing behavior changes after newly introduced products, software, or updates
  • Vendor access, delivery, and workflow records where available

Detection direction

  • Validate that supplier-origin changes can be traced from procurement or receipt through deployment into the ICS environment.
  • Tune detections around unauthorized or unexpected changes relative to approved baselines, especially after vendor updates, new devices, or workflow changes.
  • Correlate environment anomalies with recent supply-chain events instead of reviewing OT telemetry in isolation.
  • Account for false positives from legitimate maintenance, commissioning, patching, and vendor support activity by requiring strong change-control context.
  • Identify blind spots where supplier records, installation evidence, asset baselines, or OT telemetry are not retained or not accessible to the SOC/IR team.

Mitigation priorities

  • Prioritize authoritative asset inventory, approved-version baselines, and change-control evidence for ICS hardware, software, firmware, and vendor-delivered updates.
  • Require integrity and provenance checks before introducing supplier-provided products, software, or workflows into control systems environments.
  • Define escalation and isolation procedures for suspected supplier-origin compromise before an incident occurs.
  • Ensure SOC, OT engineering, procurement, vendor management, and IR teams share the records needed to investigate supply-chain-origin events.
  • Use tabletop exercises or detection validation to test whether a suspicious vendor update, device, or workflow change would be noticed and escalated.
Analyst notes and limits

This take is based on the DET0730 detection strategy metadata and its relationship to ICS ATT&CK technique T0862, Supply Chain Compromise. The object itself has no official description, detection text, tactics, platforms, aliases, or labels, so the guidance emphasizes defensible validation questions and evidence classes rather than specific analytics.

No active exploitation, attribution, affected platforms, specific data sources, or guaranteed detection coverage are supplied in the official fields. Environment-specific architecture, supplier processes, logging, and OT change-control practices are required to turn this into concrete detections.

Official MITRE ATT&CK definition

Detection of Supply Chain Compromise

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
ICS T0862 Supply Chain Compromise This object detects Supply Chain Compromise.
Relationship explorer

All related ATT&CK context

detects · Technique T0862: Supply Chain Compromise ICS
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
83e76d11aab78abb...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 83e76d11aab7…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0730
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use