name: AN-DET-10 Destructive on-board command anomaly
details: |
  Detects on-board command sequences that violate operational envelopes for ADCS (SVC:CP:Control
  Plane:00), EPS (SVC:CP:Control Plane:02), and FTS (SVC:CP:Control Plane:03). Watches for commands
  requesting impossible attitudes, prohibited power configurations, or arming FTS outside arming
  windows. Implements AN-DET:10.
author: ethicallyHackingSpace
severity: critical
type: query
class: command_anomaly
status: stable
date: 2026-06-07
mitre-attack: []
references:
  - https://sparta.aerospace.org/technique/SPACE-T1029
tags:
  - meteorstorm.an-det.10
  - meteorstorm.tdm.svc-cp-control-plane-00
  - meteorstorm.tdm.svc-cp-control-plane-02
  - meteorstorm.tdm.svc-cp-control-plane-03
  - sparta.SPACE-T1029
logsource:
  product: satellite_command_pipeline
  category: command_audit
detection:
  selection_destructive_class:
    command_class|in:
      - "ftc_arm"
      - "fts_arm"
      - "thruster_extended_burn"
      - "eps_load_shed_all"
      - "adcs_slew_max_rate"
  selection_envelope_violation:
    envelope_check: "fail"
  selection_outside_arming_window:
    arming_window_active: false
  condition: selection_destructive_class and (selection_envelope_violation or selection_outside_arming_window)
falsepositives:
  - Authorized emergency safe-mode command with documented incident reference
