Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0762: Detection of Damage to Property

DET0762 is an ATT&CK for ICS detection strategy tied to identifying Damage to Property. Its business significance is that the security program should not t...

ICSDET0762Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0762 is an ATT&CK for ICS detection strategy tied to identifying Damage to Property. Its business significance is that the security program should not treat cyber incidents in control-system environments as purely digital events: the observable outcome may be equipment breakdown, infrastructure damage, environmental harm, or escalation toward safety consequences. Because the official detection strategy has no supplied detection text or platform scope, organizations should use it as a prompt to validate whether cyber, operational, safety, and physical incident evidence can be brought together quickly during an OT/ICS event.

Executive priority

Prioritize this as an operational resilience and safety-governance question: if an ICS incident coincides with damaged equipment or infrastructure, can leadership determine whether cyber activity contributed, what operations are at risk, and what evidence is available for response, insurance, regulatory, and audit needs? The key decision value is ensuring SOC, OT operations, safety, facilities, and incident response teams have shared escalation paths and evidence-retention expectations before a destructive event occurs.

Technical view

For SOC, detection engineering, and IR teams, DET0762 should drive validation of cross-domain evidence collection rather than a single analytic. The related ATT&CK technique is T0879 Damage to Property, where adversary activity may cause physical destruction, equipment breakdown, or tangential damage from other control-system attack techniques, potentially leading to Loss of Safety. Because ATT&CK provides no official detection logic, platforms, or tactics for this object, teams should map local OT processes and assets to the signals that would indicate abnormal equipment condition, process disruption, safety-system involvement, and correlated cyber activity.

Likely telemetry

  • OT/ICS process alarms, equipment fault indicators, and abnormal operating-state records where available
  • Control-system event logs and engineering workstation or operator activity logs where collected
  • Historian data showing process deviations, equipment state changes, or abnormal sequences around the incident window
  • Safety, maintenance, facilities, and physical inspection reports documenting equipment or infrastructure damage
  • Network and access logs from relevant OT segments to correlate cyber activity with the timing of damage

Detection direction

  • Validate whether the SOC can correlate physical damage reports with OT process data and cyber logs on a common timeline.
  • Define escalation criteria for equipment breakdown or infrastructure damage that may have a cyber component, especially in control-system environments.
  • Tune triage to reduce false positives from planned maintenance, known equipment failures, environmental events, or authorized operational changes.
  • Check blind spots created by siloed ownership of OT telemetry, safety records, maintenance systems, and physical security observations.
  • Use the relationship to T0879 as context: detection should focus on evidence of damage/destruction and the surrounding control-system activity, not on an unsupported platform-specific analytic.

Mitigation priorities

  • Establish joint OT, SOC, safety, facilities, and incident response procedures for suspected cyber-related physical damage.
  • Prioritize asset criticality mapping so damaged equipment can be tied to business processes, safety dependencies, and recovery priorities.
  • Ensure logging and evidence retention are defined for control-system events, process historians, operator actions, maintenance records, and physical damage documentation.
  • Run tabletop or operational exercises that test how teams determine whether damage is cyber-related and how leadership receives timely risk updates.
  • Review resilience and safety controls for critical equipment, including change control, access governance, monitoring coverage, and recovery procedures, using local engineering requirements.
Analyst notes and limits

The supplied ATT&CK object is a detection strategy with no official description, detection text, tactics, or platforms. The useful context comes from its relationship to ICS technique T0879 Damage to Property. Treat this as a coverage-validation and response-readiness driver, especially for environments where cyber events can intersect with physical operations.

This take is limited by sparse official fields. It does not assert active exploitation, specific adversaries, affected platforms, or guaranteed detection methods. Local process knowledge, asset inventories, telemetry availability, and safety/maintenance procedures are required to turn this into deployable detections or response playbooks.

Official MITRE ATT&CK definition

Detection of Damage to Property

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
ICS T0879 Damage to Property This object detects Damage to Property.
Relationship explorer

All related ATT&CK context

detects · Technique T0879: Damage to Property ICS
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
4b85ad169cc56e98...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 4b85ad169cc5…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0762
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use