DET0746 Detection of Spoof Reporting Message
| Item | Value |
|---|---|
| ID | DET0746 |
| Version | 1.0 |
| Created | 21 October 2025 |
| Last Modified | 21 October 2025 |
Technique Detected: T0856 (Spoof Reporting Message)
Analytics
ICS
AN1879
Various techniques enable spoofing a reporting message. Consider monitoring for Rogue Master and Adversary-in-the-Middle activity which may precede this technique. Monitor asset logs for alarms or other information the adversary is unable to directly suppress. Relevant alarms include those from a loss of communications due to Adversary-in-the-Middle activity. Various techniques enable spoofing a reporting message. Monitor for LLMNR/NBT-NS poisoning via new services/daemons which may be used to enable this technique. For added context on adversary procedures and background see LLMNR/NBT-NS Poisoning and SMB Relay. Spoofed reporting messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Spoofed messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for many benign reasons. Monitor reporting messages for changes in how they are constructed.
Various techniques enable spoofing a reporting message. Consider monitoring for Rogue Master and Adversary-in-the-Middle activity.
Log Sources
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | Network Traffic | None |
| Device Alarm (DC0108) | Operational Databases | None |
| Windows Registry Key Modification (DC0063) | Windows Registry | None |
| Network Traffic Content (DC0085) | Network Traffic | None |
Mutable Elements
| Field | Description |
|---|---|