DET0746: Detection of Spoof Reporting Message
This detection strategy is meant to help identify spoofed control-system reporting messages: telemetry that represents I/O values, equipment state, or proc...
Analyst context for executives and security teams
This detection strategy is meant to help identify spoofed control-system reporting messages: telemetry that represents I/O values, equipment state, or process state. For leaders, the significance is that operators and automated control decisions may depend on those messages to know whether the process is normal or deviating. If reporting data can be spoofed, monitoring, response, and process-control confidence can be impaired.
Executive priority
Treat this as an ICS integrity and operational-resilience issue. The key business question is whether the organization can prove that critical process telemetry is trustworthy enough for operations, incident response, and compliance evidence. Because the ATT&CK object provides no platform, tactic, or detailed detection logic, priority should focus on validating visibility and assurance around reporting-message integrity for the most safety- or production-critical processes.
Technical view
SOC, OT security, and incident response teams should use this object as a validation prompt for technique T1692.002, Reporting Message. Confirm whether control-system reporting messages and the telemetry they carry can be observed, baselined, and investigated for inconsistencies with expected equipment or process state. Since no official detection text is provided, local engineering context is required to define what constitutes an abnormal or spoofed report.
Likely telemetry
- Control-system reporting messages
- Telemetry data representing current equipment state
- I/O values associated with industrial process state
- Records of expected versus observed process values
- Events or indicators of deviations from expected values
Detection direction
- Validate that reporting-message telemetry is collected for critical control-system processes, not just higher-level security logs.
- Work with operations/engineering teams to define expected value ranges, state transitions, and deviation conditions that would make spoofed reporting plausible.
- Tune detections around inconsistencies between reported telemetry and expected equipment or process behavior, with care to avoid false positives from normal process variation or maintenance activity.
- Identify blind spots where reporting messages are not logged, cannot be correlated to process context, or are trusted without independent validation.
Mitigation priorities
- Prioritize integrity assurance for reporting paths that operators or control logic rely on for safety, uptime, or production decisions.
- Document which critical reporting messages are monitored and how deviations are reviewed during incident response.
- Use engineering-approved baselines for normal operation before escalating suspected spoofing as a security incident.
- Where coverage is absent, treat the gap as an OT visibility and assurance risk requiring local architecture review.
Analyst notes and limits
The ATT&CK detection-strategy object has no official description or detection content. The usable context comes from its relationship to ICS technique T1692.002, Reporting Message, which describes spoofing telemetry such as I/O values and process state in control-system environments.
Platforms, tactics, and specific detection analytics are not specified in the supplied ATT&CK fields. This take does not assert active exploitation, attribution, affected products, or guaranteed detection coverage. Local process knowledge and telemetry architecture are required to make this actionable.
Detection of Spoof Reporting Message
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T1692.002 | Reporting Message Sub-technique | This object detects Reporting Message. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f67d614b95b9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0746Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.