DET0741: Detection of Modify Controller Tasking
DET0741 is a MITRE ATT&CK for ICS detection strategy for identifying behavior related to Modify Controller Tasking (T0821). In business terms, this matters...
Analyst context for executives and security teams
DET0741 is a MITRE ATT&CK for ICS detection strategy for identifying behavior related to Modify Controller Tasking (T0821). In business terms, this matters because controller tasking influences how industrial control logic is scheduled and executed. If those task associations are changed without authorization, defenders may be dealing with manipulation of controller behavior rather than ordinary IT malware activity. For executives and security leaders, the decision value is whether the organization can prove it would notice unauthorized changes to controller execution flow before they affect operations.
Executive priority
Treat this as an operational resilience and cyber-physical risk validation item. Leaders should ask whether engineering, OT operations, SOC, and incident response teams have agreed ownership for monitoring and investigating controller tasking changes. Because the ATT&CK object provides no platform, tactic, or detection-detail fields, prioritization should be driven by local criticality: which controllers support safety, production continuity, regulated processes, or high-cost downtime, and whether change evidence is retained for those assets.
Technical view
SOC, OT security, and IR teams should validate visibility around the related technique T0821: modification of controller tasking, including changes to associations between tasks and Program Organization Units where applicable. Since the detection strategy object has no official detection text and no specified platforms, teams should not assume a generic rule exists. Instead, they should confirm which controller engineering workflows, controller configuration records, project files, change-management records, and network or management activity can show that task associations were created or modified, and whether those events can be tied to an approved change window and authorized user or workstation.
Likely telemetry
- Controller configuration or project change records showing task-to-program association changes
- Engineering workstation activity related to controller configuration edits
- OT change-management approvals, maintenance windows, and version history
- Controller upload/download or configuration transfer records where available
- Network or management session logs between engineering systems and controllers, if collected
Detection direction
- Validate that monitoring can distinguish authorized engineering changes from unexpected controller tasking modifications.
- Correlate controller/tasking changes with approved maintenance windows, named change tickets, and expected engineering workstations.
- Prioritize higher-fidelity review for critical controllers because ATT&CK provides no platform-specific detection logic for DET0741.
- Tune for local operational patterns to reduce false positives from legitimate commissioning, maintenance, or process improvement work.
- Check blind spots where engineering tools, controller project files, or OT network paths are not logged or not forwarded to the SOC.
Mitigation priorities
- Establish or verify formal change control for controller tasking and control logic updates.
- Restrict who can modify controller configuration and require accountable engineering access paths.
- Maintain trusted baselines or version history for controller projects so unauthorized tasking changes can be identified.
- Ensure incident response playbooks include OT engineering review before making containment decisions involving controllers.
- Prioritize monitoring and review for controllers tied to safety, production continuity, compliance obligations, or high downtime impact.
Analyst notes and limits
This take is based on the supplied DET0741 detection strategy metadata and its relationship to T0821 Modify Controller Tasking. The official object contains no description or detection guidance, so the practical recommendations focus on validation questions and evidence classes that logically follow from the related ATT&CK technique description.
Platforms, tactics, official detection logic, aliases, and labels are not specified in the supplied fields. No claim is made about active exploitation, attribution, affected vendors, guaranteed detection, or existing coverage. Local controller types, engineering tools, logging capabilities, and change-control practices are required to operationalize this detection strategy.
Detection of Modify Controller Tasking
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0821 | Modify Controller Tasking | This object detects Modify Controller Tasking. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9c951c305d68… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0741Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.