DET0774: Detection of I/O Image
DET0774 is an ICS detection strategy associated with attempts to observe or capture a PLC’s I/O image: the internal view of input and output values used du...
Analyst context for executives and security teams
DET0774 is an ICS detection strategy associated with attempts to observe or capture a PLC’s I/O image: the internal view of input and output values used during a controller scan cycle. For leaders, the practical issue is visibility into whether someone is reading process-state data that could support later manipulation, disruption, or unsafe operational decisions. Because the ATT&CK entry provides no official detection text, teams should treat this as a validation prompt rather than a ready-made analytic.
Executive priority
Prioritize this where PLC-controlled operations affect safety, production continuity, regulatory evidence, or cyber-physical risk. Leadership should ask whether the organization can prove who or what is accessing controller process values, whether that access is expected, and whether SOC/IR teams have enough OT telemetry to investigate suspicious reads without disrupting operations.
Technical view
This detection strategy detects ATT&CK for ICS technique T0877, I/O Image. The related technique describes adversaries seeking process values related to PLC inputs and outputs stored in image tables during the scan cycle. Since platforms, tactics, and official detection logic are not specified, defenders should validate environment-specific visibility around controller access, engineering workstation interactions, SCADA/HMI polling, historian collection, and any logs or network records that show reads of PLC process values. Baseline normal operational polling before alerting on volume, source, timing, or unauthorized access patterns.
Likely telemetry
- PLC or controller access/audit logs where available
- Engineering workstation activity logs
- SCADA/HMI and historian records showing process value collection
- OT network traffic metadata involving controller communications
- Asset inventory and authorized communication maps for PLC-related systems
Detection direction
- Confirm whether telemetry can distinguish authorized process polling from unusual reads of PLC input/output values.
- Baseline normal sources, schedules, and volumes for controller process-value access.
- Look for unexpected systems querying controller values, unusual timing outside maintenance windows, or access inconsistent with documented OT communication paths.
- Correlate suspected access with engineering workstation use, operator activity, and approved maintenance tickets to reduce false positives.
- Document blind spots where PLCs, network segments, or OT protocols are not monitored, because the ATT&CK object does not provide a vendor-neutral analytic.
Mitigation priorities
- Maintain an accurate inventory of PLCs, engineering workstations, SCADA/HMI systems, historians, and authorized communication paths.
- Restrict controller access to approved OT systems and roles using network segmentation and identity/access controls appropriate for the environment.
- Preserve logs and network evidence needed for OT incident response and compliance review.
- Establish maintenance-window and change-control processes so unusual controller access can be triaged quickly.
- Test detections in coordination with operations to avoid disrupting safety or production systems.
Analyst notes and limits
The key decision value is not a specific signature; it is whether the organization can observe and explain access to PLC process-state values. This is especially relevant for managed detection, OT incident response readiness, cyber-physical risk reviews, and audit evidence around control-system access.
The supplied ATT&CK object has no official description, no official detection text, no platforms, and no tactics. Recommendations are derived only from its relationship to T0877 I/O Image and should be validated against local PLC architecture, vendor capabilities, logging availability, and operational constraints.
Detection of I/O Image
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | bd6e4f8afcec… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0774Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.