DET0794: Detection of Unauthorized Command Message
DET0794 is an ICS detection strategy for identifying unauthorized command messages to control system assets. Its business significance is that command mess...
Analyst context for executives and security teams
DET0794 is an ICS detection strategy for identifying unauthorized command messages to control system assets. Its business significance is that command messages can translate directly into physical process changes, so security leaders should treat this as a resilience and safety-adjacent monitoring question: can the organization prove that commands sent to control system devices are expected, authorized, and consistent with intended operating conditions?
Executive priority
Prioritize this where control system availability, safety, production continuity, or regulatory evidence depends on knowing who or what issued commands to ICS assets. The key leadership question is not simply whether network traffic is monitored, but whether the SOC and operations teams can distinguish legitimate operator/control logic activity from commands that occur without expected authorization or logical preconditions.
Technical view
ATT&CK provides no official detection text, platforms, or tactics for DET0794, so teams should derive validation from the related ICS technique T1692.001 Command Message. SOC, OT, and IR teams should confirm they can observe command traffic, associate commands with expected sources and operational context, and investigate commands that instruct control system devices to act outside normal bounds or without expected preconditions. Detection logic should be developed with process engineers or control system owners to avoid treating all unusual commands as malicious.
Likely telemetry
- ICS network traffic containing command messages
- Control system device logs where available
- Engineering workstation or operator station activity records
- Historian, alarm, or process event data showing resulting state changes
- Asset inventory and communication baselines for expected command sources and destinations
Detection direction
- Validate visibility into command messages on relevant ICS network paths; lack of protocol or command-level visibility is a primary blind spot.
- Baseline expected command sources, destinations, timing, and operating conditions with OT stakeholders.
- Alert on commands from unexpected sources, commands to unexpected devices, or commands inconsistent with known process state or logical preconditions.
- Correlate command messages with operator actions, maintenance windows, alarms, and process changes to reduce false positives.
- Ensure incident responders can preserve enough network and process context to determine whether a command was unauthorized versus unusual but legitimate.
Mitigation priorities
- Establish an authoritative inventory of control system assets and expected command pathways.
- Review and restrict which systems are permitted to issue commands to control system devices.
- Maintain operational approval and change records that can be correlated with observed command activity.
- Coordinate SOC detection engineering with OT operations so alerts reflect process reality, not only network anomalies.
- Use tabletop or validation exercises to confirm escalation paths between SOC, incident response, and control room personnel when unauthorized command activity is suspected.
Analyst notes and limits
This take is based on DET0794 and its relationship to T1692.001 Command Message. Because the ATT&CK object does not include official detection guidance, platform scope, tactics, or a description, the practical guidance focuses on defensible validation questions and evidence classes implied by the related ICS behavior.
ATT&CK fields supplied for DET0794 are sparse. No active exploitation, actor attribution, affected platforms, or guaranteed detection coverage can be inferred. Local ICS architecture, protocols, logging capability, and operating procedures are required to turn this into specific detections or control requirements.
Detection of Unauthorized Command Message
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T1692.001 | Command Message Sub-technique | This object detects Command Message. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d664545cf04b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0794Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.