Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1692: Unauthorized Message

Adversaries may send unauthorized messages to ICS systems and devices to evade defenses or manipulate processes. Unauthorized messages can be categorized as either reporting messages that contain telemetry data about the current state of systems, devices, and processes or as command messages which instruct systems and devices on how to operate. By injecting unauthorized messages, adversaries can make it appear as if everything is working correctly when it isn’t, trigger alarms to misdirect personnel or impact processes, and manipulate controls to disrupt processes.[1]

Adversaries may send unauthorized messages in an ICS environment using software found within the environment (living-off-the-land, vendor-specific interfaces, etc.), custom tooling leveraging OT protocols and libraries, or by positioning themselves between systems and devices and injecting messages into the communications such as the case with an Adversary-in-the-Middle attack.

ICST1692TechniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Unauthorized Message is an ICS technique where an adversary sends false or unauthorized telemetry or control messages into an operational environment. The business issue is not just network intrusion; it is loss of trust in what operators see and what controllers are told to do. If messages can be spoofed or injected, teams may make decisions from false process data, chase misleading alarms, or experience unauthorized process changes.

Executive priority

Prioritize this as an operational resilience and safety-adjacent control question for ICS environments. Leaders should ask whether critical HMI, PLC, RTU, IED, control server, safety controller, DCS controller, and PAC communications are authenticated, segmented, filtered, and baselined. This technique is material for incident response readiness because responders must be able to distinguish legitimate process behavior from manipulated reporting or command traffic.

Technical view

SOC, OT security, and IR teams should validate visibility and controls around ICS message paths, especially communications involving HMIs, controllers, RTUs, IEDs, control servers, safety controllers, DCS controllers, and PACs. ATT&CK does not provide official detection text for this object, but the relationship to DET0902 indicates a detection strategy exists for unauthorized messages. Detection engineering should focus on whether authorized senders, expected message types, rates, sequences, and process-state preconditions can be verified for command and reporting traffic. Investigations should consider living-off-the-land use of vendor interfaces, custom tooling using OT protocols, and adversary-in-the-middle positioning as described by the source object.

Likely telemetry

  • ICS network traffic captures or flow records between control servers, HMIs, RTUs, PLCs, IEDs, safety controllers, DCS controllers, and PACs
  • Application-layer automation protocol metadata where available, including message type, source, destination, timing, and sequence patterns
  • Controller, HMI, control server, and engineering/workstation logs where they record commands, connections, alarms, telemetry changes, or API access
  • Asset inventory and approved communication matrices for IP address, MAC address, port, protocol, and expected device relationships
  • Process historian, alarm, and telemetry records that can be compared against expected operational states

Detection direction

  • Validate that DET0902 or local detections can identify messages from unauthorized sources, unexpected device pairs, unexpected protocols, abnormal message types, or unusual message rates.
  • Tune detections against known operating modes and maintenance windows to reduce false positives from legitimate vendor tools or authorized operational changes.
  • Look for mismatches between reporting messages and independent process expectations, since spoofed reporting messages can make operations appear normal when they are not.
  • Correlate command messages with expected logical preconditions and authorized operator or control-server activity where such records exist.
  • Assess blind spots caused by limited OT protocol parsing, encrypted or proprietary traffic, unmanaged field devices, or lack of passive monitoring in segmented control networks.

Mitigation priorities

  • Start with network segmentation to restrict enterprise or non-required network paths to critical process control systems.
  • Implement communication authenticity where supported, using secure protocols or mechanisms that authenticate message senders and verify message integrity.
  • Require authentication for devices and software processes, including remote device communications and API access where applicable.
  • Use network allowlists for permitted IP addresses, MAC addresses, ports, protocols, and device-to-device connections.
  • Apply protocol-aware traffic filtering for automation protocols when expected communication sequences, message types, rates, or patterns are well defined.
Analyst notes and limits

The parent technique includes two important defensive branches: unauthorized command messages and spoofed reporting messages. Treat both as separate validation cases because one affects what devices are instructed to do and the other affects what operators and monitoring systems believe is happening. The targeted asset relationships make this especially relevant to OT environments with HMIs, controllers, RTUs, IEDs, control servers, and safety-related control assets.

ATT&CK provides no official detection text, no tactics, and no platform list for the parent technique. The related target assets include embedded, Linux, and Windows platforms, but those should not be treated as exhaustive platform coverage for T1692. Local architecture, protocol support, vendor capabilities, and available OT telemetry are required to determine actual exposure and detection coverage.

Official MITRE ATT&CK definition

Unauthorized Message

Adversaries may send unauthorized messages to ICS systems and devices to evade defenses or manipulate processes. Unauthorized messages can be categorized as either reporting messages that contain telemetry data about the current state of systems, devices, and processes or as command messages which instruct systems and devices on how to operate. By injecting unauthorized messages, adversaries can make it appear as if everything is working correctly when it isn’t, trigger alarms to misdirect personnel or impact processes, and manipulate controls to disrupt processes.[1]

Adversaries may send unauthorized messages in an ICS environment using software found within the environment (living-off-the-land, vendor-specific interfaces, etc.), custom tooling leveraging OT protocols and libraries, or by positioning themselves between systems and devices and injecting messages into the communications such as the case with an Adversary-in-the-Middle attack.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
ICS T1692.002 Reporting Message Sub-technique Reporting Message subtechnique of this object.
ICS T1692.001 Command Message Sub-technique Command Message subtechnique of this object.
Relationship explorer

All related ATT&CK context

subtechnique of · Technique T1692.002: Reporting Message ICS subtechnique of · Technique T1692.001: Command Message ICS targets · ICS Asset A0003: Programmable Logic Controller (PLC) ICS targets · ICS Asset A0007: Control Server ICS detects · Detection Strategy DET0902: Detection of Unauthorized Message ICS targets · ICS Asset A0017: Distributed Control System (DCS) Controller ICS mitigates · Mitigation M0813: Software Process and Device Authentication ICS targets · ICS Asset A0005: Intelligent Electronic Device (IED) ICS targets · ICS Asset A0002: Human-Machine Interface (HMI) ICS targets · ICS Asset A0010: Safety Controller ICS mitigates · Mitigation M0807: Network Allowlists ICS targets · ICS Asset A0018: Programmable Automation Controller (PAC) ICS mitigates · Mitigation M0930: Network Segmentation ICS mitigates · Mitigation M0802: Communication Authenticity ICS mitigates · Mitigation M0937: Filter Network Traffic ICS targets · ICS Asset A0004: Remote Terminal Unit (RTU) ICS
Mitigations

Mitigation direction

Mitigation ICS

M0813: Software Process and Device Authentication

Require the authentication of devices and software processes where appropriate. Devices that connect remotely to other systems should require strong authentication to prevent spoofing of communications. Furthermore, software processes should also require authentication when accessing APIs.

Mitigation ICS

M0807: Network Allowlists

Network allowlists can be implemented through either host-based files or system hosts files to specify what connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in Filter Network Traffic mitigation.

Mitigation ICS

M0930: Network Segmentation

Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Restrict network access to only required systems and services. In addition, prevent systems from other networks or business functions (e.g., enterprise) from accessing critical process control systems. For example, in IEC 62443, systems within the same secure level should be grouped into a zone, and access to that zone is restricted by a conduit, or mechanism to restrict data flows between zones by segmenting the network. [1] [2]

Mitigation ICS

M0802: Communication Authenticity

When communicating over an untrusted network, utilize secure network protocols that both authenticate the message sender and can verify its integrity. This can be done either through message authentication codes (MACs) or digital signatures, to detect spoofed network messages and unauthorized connections.

Mitigation ICS

M0937: Filter Network Traffic

Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. Perform inline allow/denylisting of network messages based on the application layer (OSI Layer 7) protocol, especially for automation protocols. Application allowlists are beneficial when there are well-defined communication sequences, types, rates, or patterns needed during expected system operations. Application denylists may be needed if all acceptable communication sequences cannot be defined, but instead a set of known malicious uses can be denied (e.g., excessive communication attempts, shutdown messages, invalid commands). Devices performing these functions are often referred to as deep-packet inspection (DPI) firewalls, context-aware firewalls, or firewalls blocking specific automation/SCADA protocol aware firewalls. [1]

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e0853b732edd0d5f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e0853b732edd…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011

    Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011 A Taxonomy of Cyber Attacks on SCADA Systems Retrieved. 2018/01/12

    Open source URL
  2. [2]
    mitre-attack T1692
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use