Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T0832: Manipulation of View

Adversaries may attempt to manipulate the information reported back to operators or controllers. This manipulation may be short term or sustained. During this time the process itself could be in a much different state than what is reported. [1] [2] [3]

Operators may be fooled into doing something that is harmful to the system in a loss of view situation. With a manipulated view into the systems, operators may issue inappropriate control sequences that introduce faults or catastrophic failures into the system. Business analysis systems can also be provided with inaccurate data leading to bad management decisions.

ICST0832TechniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Manipulation of View is an ICS technique where operators, controllers, or business systems may be shown inaccurate process information while the real process state is different. The business risk is not only loss of visibility; bad data can drive unsafe operator actions, flawed management decisions, and delayed incident response in environments where process integrity and safety depend on trusted telemetry.

Executive priority

Treat this as an operational resilience and safety assurance issue, not just a monitoring problem. Leaders should ask whether critical process decisions depend on a single data path, whether alternate communications or independent validation exist during suspected data integrity events, and whether recovery plans include trusted configurations and gold-copy backups for systems that provide control, view, or availability. The ATT&CK relationships to Stuxnet and Industroyer make this behavior important for ICS threat modeling, but the supplied object does not support claims about current exploitation in any specific environment.

Technical view

SOC, OT security, and incident response teams should validate how they would recognize disagreement between reported values and the physical or independently observed process state. Because the ATT&CK object provides no official detection text, detection engineering should be anchored to the related DET0785 strategy and to local ICS architecture: compare operator displays, controller data, historian/business-analysis data, network message integrity, and out-of-band observations where available. Prioritize scenarios where manipulated telemetry could cause operators to issue harmful control sequences or where business systems consume inaccurate operational data.

Likely telemetry

  • ICS operator interface and HMI display values
  • Controller and process data used for control decisions
  • Historian or business-analysis data feeds that receive process information
  • Network communications carrying process telemetry or control data
  • Authentication and integrity evidence for messages over untrusted networks

Detection direction

  • Validate DET0785-aligned coverage for detecting manipulated or inconsistent process views; do not assume coverage because standard IT monitoring is present.
  • Look for mismatches between reported process state and independent sources of truth, including alternate communications channels or physical/process observations where available.
  • Tune detections to account for normal sensor noise, latency, maintenance activity, and engineering changes to reduce false positives.
  • Assess blind spots where business-analysis systems receive process data without integrity validation or where operators rely on a single display/data path.
  • Confirm incident responders have procedures for preserving evidence from HMI, controller, historian, and network sources during suspected data integrity events.

Mitigation priorities

  • Prioritize communication authenticity for untrusted networks so message sender identity and message integrity can be verified through secure protocols, MACs, or digital signatures.
  • Establish out-of-band communications channels to support operations during communication failures or data integrity attacks.
  • Maintain hardened and separated backups, including gold-copy images and configurations for key systems that affect control, view, or availability.
  • Exercise incident response plans for scenarios where the displayed process state cannot be trusted.
  • Use local process criticality to decide where independent validation and recovery controls are most urgent.
Analyst notes and limits

The supplied ATT&CK object is an ICS technique with no specified platforms, tactics, aliases, labels, or official detection text. Relationship context includes one detection strategy, three mitigations, and ATT&CK software relationships for Stuxnet and Industroyer. This supports defensive planning around telemetry integrity, alternate communications, and recovery readiness, but local engineering diagrams and process safety context are required to prioritize specific systems.

This take is limited to the official STIX fields, external references, and listed relationships. It does not assert active exploitation, customer exposure, specific vulnerable products, or guaranteed detection coverage. Platform-specific recommendations are avoided because the technique itself lists no platforms.

Official MITRE ATT&CK definition

Manipulation of View

Adversaries may attempt to manipulate the information reported back to operators or controllers. This manipulation may be short term or sustained. During this time the process itself could be in a much different state than what is reported. [1] [2] [3]

Operators may be fooled into doing something that is harmful to the system in a loss of view situation. With a manipulated view into the systems, operators may issue inappropriate control sequences that introduce faults or catastrophic failures into the system. Business analysis systems can also be provided with inaccurate data leading to bad management decisions.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Malware ICS

S0604: Industroyer

Industroyer is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.[1] Industroyer was used in the attacks on the Ukrainian power grid in December 2016.[2] This is the first publicly known malware specifically designed to target and impact operations in the electric grid.[3]

Windows
Malware ICS

S0603: Stuxnet

Stuxnet was the first publicly reported malware to specifically target industrial control systems devices. Stuxnet is a large and complex malware that utilized multiple behaviors, including numerous zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.[1][2][3][4] Stuxnet was discovered in 2010, with some components being used as early as November 2008.[1]

Windows
Relationship explorer

All related ATT&CK context

detects · Detection Strategy DET0785: Detection of Manipulation of View ICS mitigates · Mitigation M0802: Communication Authenticity ICS mitigates · Mitigation M0810: Out-of-Band Communications Channel ICS mitigates · Mitigation M0953: Data Backup ICS uses · Malware S0604: Industroyer ICS uses · Malware S0603: Stuxnet ICS
Mitigations

Mitigation direction

Mitigation ICS

M0802: Communication Authenticity

When communicating over an untrusted network, utilize secure network protocols that both authenticate the message sender and can verify its integrity. This can be done either through message authentication codes (MACs) or digital signatures, to detect spoofed network messages and unauthorized connections.

Mitigation ICS

M0953: Data Backup

Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans [1], including the management of 'gold-copy' back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f1770b6d68d3045c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f1770b6d68d3…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Corero

    Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04

    Open source URL
  2. [2]
    Michael J. Assante and Robert M. Lee

    Michael J. Assante and Robert M. Lee SANS Industrial Control System (ICS) Security; The Industrial Control System Cyber Kill Chain Retrieved 2024/11/25

    Open source URL
  3. [3]
    Tyson Macaulay

    Tyson Macaulay Michael J. Assante and Robert M. Lee Corero Industrial Control System (ICS) Security Retrieved. 2019/11/04 The Industrial Control System Cyber Kill Chain Retrieved. 2019/11/04 RIoT Control: Understanding and Managing Risks and the Internet of Things Retrieved. 2019/11/04

    Open source URL
  4. [4]
    mitre-attack T0832
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use