DET0747: Detection of Manipulation of Control
DET0747 is a detection strategy for identifying Manipulation of Control in industrial control system environments. The business issue is not just a suspici...
Analyst context for executives and security teams
DET0747 is a detection strategy for identifying Manipulation of Control in industrial control system environments. The business issue is not just a suspicious command; it is whether an adversary or unauthorized actor can change set points, tags, or control parameters that influence a physical process before operators notice. For executives and security leaders, this is a resilience and safety-relevant behavior because detection depends on proving that changes to control intent are visible, explainable, and reviewable.
Executive priority
Prioritize this as an ICS operational resilience control question: can the organization distinguish authorized process adjustments from suspicious manipulation of control values or commands? Leaders should ask whether SOC, OT operations, and incident response teams have shared evidence for control changes, operator actions, and process deviations. Because the ATT&CK object provides no platform or detailed detection guidance, investment decisions should focus first on validating telemetry coverage and accountability around control parameter changes rather than assuming existing IT monitoring is sufficient.
Technical view
This detection strategy is linked to ATT&CK ICS technique T0831, Manipulation of Control. Detection engineering should focus on evidence of changes to set point values, tags, parameters, or commands to physical control processes. Since the official object does not specify platforms, tactics, or detection logic, teams should validate the local control architecture and identify where authoritative records exist for operator actions, engineering changes, device commands, and observed process state. IR playbooks should include a path to compare intended control settings against actual device/process behavior and to involve OT operators early for context.
Likely telemetry
- Records of set point, tag, or parameter changes where available
- Control system device command logs or equivalent command history
- Operator or HMI action history where available
- Engineering workstation or control configuration change records where available
- Industrial network traffic showing control communications, if collected
Detection direction
- Validate that changes to control values can be tied to an authorized user, system, time, and operational reason.
- Tune detections around unexpected, out-of-window, repeated, or unexplained changes to set points, tags, parameters, or control commands.
- Correlate control changes with process historian values and alarms to distinguish legitimate operations from potentially suspicious manipulation.
- Account for false positives from normal operator adjustments, maintenance, calibration, automated control routines, and approved process transitions.
- Identify blind spots where control devices, engineering tools, or operator interfaces do not produce centralized logs or where logs are not time-synchronized.
Mitigation priorities
- Establish ownership and approval expectations for changes to control values and parameters.
- Ensure critical control-change evidence is logged, retained, time-synchronized, and accessible to OT, SOC, and incident response teams.
- Review access paths capable of issuing commands or modifying control parameters and align them with least privilege and operational need.
- Create response procedures for suspected manipulation that preserve evidence while coordinating safely with plant or process operators.
- Use tabletop exercises to test whether teams can identify what changed, who or what changed it, and whether the physical process is still within expected bounds.
Analyst notes and limits
The supplied ATT&CK object is a detection strategy with no official description or detection text. The strongest supported context comes from its relationship to T0831, which describes adversaries manipulating physical process control through changes to set points, tags, parameters, or commands to control processes. Treat this as a coverage validation prompt for ICS monitoring and response rather than a ready-made analytic.
Platforms, tactics, and official detection logic are not specified in the supplied fields. This take does not assert active exploitation, attribution, customer exposure, or guaranteed detection coverage. Local architecture, logging availability, process safety requirements, and operator workflows are necessary to turn this into specific detections.
Detection of Manipulation of Control
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0831 | Manipulation of Control | This object detects Manipulation of Control. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7495de6542ba… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0747Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.