name: AN-DET-04 Out-of-pattern command authority usage
details: |
  Detects command-authority usage outside per-operator behavioral baseline: off-hours commands,
  missing peer-review tags on high-impact actions, command sequences inconsistent with the active
  mission profile. Targets the operator console (AST:HW:Hardware:04) and the command-audit log on
  console-ops (SVC:CP:Control Plane:13). Implements AN-DET:04. Coverage is partial: depends on
  per-operator baselines being maintained.
author: ethicallyHackingSpace
severity: medium
type: query
class: anomaly
status: experimental
date: 2026-06-07
mitre-attack:
  - T1078.003
references:
  - https://attack.mitre.org/techniques/T1078/003/
  - https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
tags:
  - meteorstorm.an-det.04
  - meteorstorm.tdm.ast-hw-hardware-04
  - meteorstorm.tdm.svc-cp-control-plane-13
  - attack.privilege-escalation
logsource:
  product: satellite_command_pipeline
  category: command_audit
detection:
  selection_console_origin:
    origin_device|contains: "operator-console"
  selection_off_hours:
    hour_of_day|not_in:
      - 8
      - 9
      - 10
      - 11
      - 12
      - 13
      - 14
      - 15
      - 16
      - 17
  selection_high_impact:
    command_class|in:
      - "ftc_arm"
      - "fts_arm"
      - "thruster_burn"
      - "ranging_off"
      - "encryption_disable"
  selection_no_peer_review:
    peer_review_tag: false
  condition: selection_console_origin and selection_high_impact and (selection_off_hours or selection_no_peer_review)
falsepositives:
  - Documented emergency override with incident ticket cross-reference
