DET0785: Detection of Manipulation of View
DET0785 is an ICS ATT&CK detection strategy tied to Manipulation of View (T0832): the risk that operators or controllers see information that does not refl...
Analyst context for executives and security teams
DET0785 is an ICS ATT&CK detection strategy tied to Manipulation of View (T0832): the risk that operators or controllers see information that does not reflect the real process state. For leaders, the significance is not just monitoring accuracy; it is whether the organization can trust its operational picture during an incident and avoid unsafe or harmful decisions based on false status information.
Executive priority
Prioritize this as an operational resilience and cyber-physical risk issue. Security and operations leaders should ask whether critical process views can be independently validated, whether incident responders know how to handle suspected loss or manipulation of view, and whether audit evidence can show that monitoring, operator displays, and control signals are reconciled rather than trusted blindly.
Technical view
The ATT&CK object provides no official detection text, platforms, or tactics, so validation should be relationship-driven: focus on evidence that could reveal a mismatch between the real process state and what is reported to operators or controllers. SOC, OT, and IR teams should test whether they can compare reported values, controller-relevant data, operator-facing views, and independent process observations during abnormal conditions.
Likely telemetry
- Operator-facing view/display records where available
- Controller-relevant process values and status data
- Process historian or time-series records where available
- Alarms, events, and operator action logs
- Independent process observations or out-of-band measurements used to confirm actual state
Detection direction
- Validate whether monitoring can identify inconsistencies between reported operator/controller information and other sources of process state.
- Tune for abnormal divergence, stale values, unexpected loss of visibility, or status changes that conflict with independent process evidence.
- Account for false positives from maintenance, sensor faults, communications issues, or legitimate engineering changes.
- Confirm that SOC and OT teams have an escalation path for suspected manipulated view conditions, not just generic alert triage.
- Because MITRE provides no official detection procedure for DET0785, local engineering knowledge is required to define normal process relationships and trustworthy comparison points.
Mitigation priorities
- Establish independent validation paths for critical process state before relying on a single operator view.
- Document incident response procedures for suspected loss or manipulation of view, including operations-led safety decision points.
- Protect and monitor systems that generate, transmit, or display process state information.
- Review change control around engineering, display, controller, and historian configurations that could affect what operators see.
- Use tabletop or simulation exercises to confirm that operators and responders can recognize and act on inconsistent views.
Analyst notes and limits
This take is based on the DET0785 detection strategy metadata and its relationship to T0832 Manipulation of View in the ICS ATT&CK domain. The practical defensive value is in validating trust in the operational picture, especially where decisions depend on operator or controller-reported information.
The supplied ATT&CK object has no official description, detection text, platforms, tactics, or aliases. Recommendations are therefore conservative and derived only from the relationship to T0832 and its supplied description. Local architecture, process knowledge, and available OT telemetry are required to turn this into concrete detections.
Detection of Manipulation of View
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0832 | Manipulation of View | This object detects Manipulation of View. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a97086815048… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0785Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.