name: AN-DET-08 Replay-and-spoof command anomaly
details: |
  Detects command-uplink replay and spoof patterns. Watches link-layer auth audit (SVC:CP:Control
  Plane:05) and ground-side key-material audit (SVC:CP:Control Plane:09) for commands with valid
  auth tags arriving with anomalous timing, sequence numbers reused, or session keys appearing in
  unexpected places. Coverage is partial: requires command-cadence baseline. Implements AN-DET:08.
author: ethicallyHackingSpace
severity: high
type: query
class: anomaly
status: experimental
date: 2026-06-07
mitre-attack:
  - T1565.002
references:
  - https://sparta.aerospace.org/technique/SPACE-T1428
tags:
  - meteorstorm.an-det.08
  - meteorstorm.tdm.svc-cp-control-plane-05
  - meteorstorm.tdm.svc-cp-control-plane-09
  - meteorstorm.tdm.ast-si-signal-00
  - sparta.SPACE-T1428
logsource:
  product: satellite_command_pipeline
  category: command_audit
detection:
  selection_auth_valid:
    auth_tag_valid: true
  selection_sequence_reuse:
    sequence_number|seen_in_last_window: true
  selection_timing_anomaly:
    inter_command_interval_ms|outside_baseline_pct: ">=99"
  selection_key_reuse_unexpected:
    session_key_id|seen_in_other_session: true
  condition: selection_auth_valid and (selection_sequence_reuse or selection_timing_anomaly or selection_key_reuse_unexpected)
falsepositives:
  - Authorized command-replay validation test
