Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0742: Detection of Execution through API

DET0742 is a detection strategy entry for identifying ICS behavior where software uses APIs to trigger functions on devices or other control software. The...

ICSDET0742Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0742 is a detection strategy entry for identifying ICS behavior where software uses APIs to trigger functions on devices or other control software. The business issue is not the API concept itself; it is whether the organization can distinguish expected control-system API activity from API use that could change process behavior, disrupt operations, or complicate incident response. Because the ATT&CK entry provides no official detection logic or platform detail, this should be treated as a validation prompt rather than a ready-made analytic.

Executive priority

For security and operations leaders, the priority is to confirm that API-driven execution paths in control environments are known, owned, monitored, and reviewable during an incident. This matters for operational resilience, audit evidence, and IR readiness: if critical device or control-software functions can be invoked through APIs, teams need evidence showing who or what called those APIs, from where, and whether the action was expected. Budget and control decisions should focus on visibility into control software-to-device interactions and governance over authorized API use.

Technical view

SOC, detection engineering, and IR teams should map legitimate API interactions between control software, devices, and related applications, then validate what telemetry exists to observe API calls that engage device or software functions. Since the official object does not specify platforms, tactics, or detection analytics, detection content should be locally engineered around known ICS applications, API endpoints or interfaces, service accounts, engineering workstations, control servers, and expected command patterns. Relationship context ties this strategy to T0871 Execution through API, so triage should emphasize whether an observed API call initiated a meaningful control-system function and whether the caller, timing, source, and target match approved operations.

Likely telemetry

  • Control software logs showing API calls or function invocations, where available
  • Device or application audit logs recording commands received through APIs
  • Network telemetry between control software and hardware or other control applications
  • Authentication and authorization logs for accounts or services permitted to use control APIs
  • Change-management, maintenance, and engineering activity records used to distinguish approved operations from suspicious API activity

Detection direction

  • Inventory normal API-driven workflows before writing detections; otherwise routine automation and engineering activity may create high false-positive volume.
  • Validate whether API activity is logged with enough context: caller identity, source system, target device or software, timestamp, requested function, and outcome.
  • Correlate API execution events with authorized maintenance windows, change tickets, operator actions, and expected control software behavior.
  • Look for deviations from established patterns, such as unusual caller systems, unexpected service accounts, API calls outside approved windows, or functions invoked against unusual targets.
  • Treat missing telemetry as a material blind spot: the supplied ATT&CK object provides no official detection text, so local logging capability determines practical coverage.

Mitigation priorities

  • Document which APIs can invoke control-system functions and who owns them operationally.
  • Restrict API use to authorized software, accounts, systems, and workflows consistent with operational requirements.
  • Ensure logging is enabled and retained for API calls that can engage device or control-software functionality.
  • Align API access reviews with change management, incident response playbooks, and compliance evidence needs.
  • Segment and monitor communications between systems that initiate API calls and the devices or applications that receive them, where consistent with ICS architecture and safety requirements.
Analyst notes and limits

This take is based on the detection strategy object DET0742 and its relationship to ICS ATT&CK technique T0871, Execution through API. The value for defenders is in validating whether API-based execution paths in the ICS environment are visible, governed, and explainable during investigation. Because MITRE supplied no official detection description for this object, any production analytic must be derived from local architecture, vendor/application logging, and approved operational workflows.

The source object has no official description, no official detection text, no specified platforms, and no tactics. The related technique description only states that adversaries may leverage APIs used for communication between control software and hardware to engage device or software functions. This response therefore avoids claims about specific technologies, active exploitation, attribution, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Detection of Execution through API

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
ICS T0871 Execution through API This object detects Execution through API.
Relationship explorer

All related ATT&CK context

detects · Technique T0871: Execution through API ICS
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
aa8f8dc62e98bf6a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle aa8f8dc62e98…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0742
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use