Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0797: Detection of Block Serial COM

DET0797 is a detection strategy for identifying behavior related to blocking Serial COM communications in industrial control environments. The business sig...

ICSDET0797Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0797 is a detection strategy for identifying behavior related to blocking Serial COM communications in industrial control environments. The business significance is operational: if commands, configuration updates, or reporting messages cannot traverse serial COM paths, operators may lose visibility or control of connected devices. Because MITRE provides no detailed detection logic or platform scope for this object, organizations should treat it as a prompt to validate whether critical serial communications are inventoried, monitored, and covered by incident response procedures.

Executive priority

Prioritize this where serial COM links support safety, production, utility, or other cyber-physical processes. Leaders should ask whether the organization can prove which devices depend on serial COM, whether loss of those paths would interrupt operations, and whether SOC/OT teams can distinguish a cyber-related block from routine device, cable, converter, or maintenance issues. This is also relevant to resilience and audit evidence because coverage depends heavily on asset knowledge, telemetry availability, and operational runbooks.

Technical view

This detection strategy detects ATT&CK for ICS technique T1695.001, Serial COM. The related technique describes adversaries blocking access to serial COM so instructions, configurations, command messages, or reporting messages cannot reach or leave target devices. Since the ATT&CK object does not provide official detection analytics, platforms, or tactics, SOC and OT detection teams should validate monitoring around known serial COM dependencies, especially where serial-to-Ethernet converters connect serial devices into routable environments. Detection should focus on unexpected loss, degradation, or asymmetry of expected command/configuration/reporting flows, correlated with device state, operator activity, and approved maintenance.

Likely telemetry

  • Inventory and topology records showing devices, controllers, engineering systems, and serial COM dependencies
  • Status, health, event, or diagnostic logs from control system devices where available
  • Serial-to-Ethernet converter status, connectivity, and network telemetry where such converters are used
  • SCADA, HMI, historian, or operator alarm evidence showing loss of reporting or command responsiveness
  • Change, maintenance, and physical access records for cabinets, converters, cabling, and connected devices

Detection direction

  • Confirm that critical serial COM paths are documented and mapped to business processes before writing detections.
  • Baseline normal command, configuration, and reporting behavior for devices that rely on serial COM communications.
  • Alert on unexpected loss of reporting, inability to send commands, or communication state changes, but tune against planned maintenance, device resets, cabling faults, and converter failures.
  • Correlate serial communication loss with serial-to-Ethernet converter telemetry where applicable, rather than relying only on higher-level SCADA/HMI symptoms.
  • Maintain IR triage logic that separates cyber suspicion from common OT reliability causes such as failed hardware, loose cables, configuration drift, and scheduled work.

Mitigation priorities

  • Start with asset and dependency inventory for serial COM communications supporting critical operations.
  • Establish monitoring or health checks for serial links and any serial-to-Ethernet converters used in the environment.
  • Define operational escalation paths for unexplained loss of command, configuration, or reporting messages.
  • Protect and document physical and change access to serial cabling, converters, and connected control devices.
  • Test response procedures for loss of serial communications, including safe operational fallback and evidence preservation.
Analyst notes and limits

The ATT&CK detection strategy record is sparse: no official description, detection text, platform list, or tactics are supplied. The most useful context comes from the relationship to T1695.001 Serial COM, which frames the behavior around blocking command, configuration, and reporting messages in ICS communications.

This take does not assert active exploitation, attribution, specific affected platforms, or guaranteed detection coverage. Local architecture, asset inventory, converter usage, and available OT telemetry are required to determine practical detection and response coverage.

Official MITRE ATT&CK definition

Detection of Block Serial COM

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
ICS T1695.001 Serial COM Sub-technique This object detects Serial COM.
Relationship explorer

All related ATT&CK context

detects · Technique T1695.001: Serial COM ICS
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
fc8977bb316c20f3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle fc8977bb316c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0797
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use