DET0760: Detection of Command-Line Interface
DET0760 is a detection strategy for ATT&CK for ICS technique T0807, Command-Line Interface. The practical issue is not that CLIs are unusual; it is that th...
Analyst context for executives and security teams
DET0760 is a detection strategy for ATT&CK for ICS technique T0807, Command-Line Interface. The practical issue is not that CLIs are unusual; it is that they are a normal administrative pathway in control system environments and can also be used by adversaries to interact with systems, execute commands, and install or run tools. Leaders should treat this as a coverage question: can the organization distinguish expected engineering or administrative CLI use from activity that falls outside approved operations?
Executive priority
This matters for operational resilience and incident decision-making because CLI activity can represent either legitimate maintenance or hands-on adversary control. Executives and security leaders should ask whether control system assets that permit CLI interaction produce enough evidence for the SOC and incident responders to reconstruct what commands were run, by whom, and whether the activity aligned to an approved change. The priority is to validate monitoring and governance around administrative command execution rather than assume existing enterprise endpoint logging automatically covers ICS environments.
Technical view
SOC, detection engineering, and IR teams should map DET0760 to T0807 and validate whether CLI activity is observable across relevant control system assets and supporting systems. Because the supplied ATT&CK object does not specify platforms, tactics, or official detection logic, teams should avoid generic assumptions and instead inventory where CLIs exist, what logs are available, and how command execution can be tied to user/session context and approved operational activity. Detection should focus on anomalous or unauthorized command execution, CLI-driven software installation or tool execution, and CLI activity inconsistent with normal maintenance windows or roles.
Likely telemetry
- Command execution or command history records where available
- Process or program execution telemetry where available
- Authentication and session records associated with CLI access
- Administrative change records and maintenance-window evidence
- Software installation or tool execution logs initiated through CLI activity
Detection direction
- Confirm which ICS and supporting assets expose command-line interfaces and which of them produce usable audit evidence.
- Correlate CLI events with authenticated users, asset identity, time of activity, and approved change records to reduce false positives from legitimate administration.
- Tune detections around deviations from normal engineering or administrative behavior rather than treating all CLI use as malicious.
- Prioritize visibility for CLI use that installs or runs new software, since the related technique description explicitly includes this behavior.
- Identify blind spots such as assets with limited logging, local console activity that is not centrally collected, and environments where command records are not retained long enough for incident response.
Mitigation priorities
- Establish policy and change-control expectations for administrative CLI use in control system environments.
- Enable and retain CLI, session, and execution logging where the asset safely supports it.
- Limit CLI access to authorized personnel and operationally justified use cases.
- Integrate CLI evidence into SOC triage and incident response playbooks so responders can reconstruct command activity during investigations.
- Review coverage during compliance or resilience assessments to ensure logging claims are backed by collected evidence, not assumptions.
Analyst notes and limits
The supplied ATT&CK detection strategy has no official description or detection text and does not specify platforms or tactics. The main analytic value comes from its relationship to ICS technique T0807, Command-Line Interface. Local asset inventory, logging capability, and operational procedures are required to turn this into an actionable detection requirement.
This take does not assert active exploitation, specific adversary behavior, affected platforms, or guaranteed detectability. ATT&CK fields for DET0760 are sparse, so implementation details must be validated against the local ICS architecture and available telemetry.
Detection of Command-Line Interface
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0807 | Command-Line Interface | This object detects Command-Line Interface. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 82f4fadb3d18… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0760Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.