Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1884: Analytic 1884

Monitor device alarms for program downloads, although not all devices produce such alarms. Monitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols. Consult asset management systems to understand expected program versions. Monitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.

ICSAN1884AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because unauthorized or unexpected program downloads in industrial control environments can change how automation devices behave. For executives and security leaders, the decision value is not that a device alarm exists, but whether the organization can prove what control logic or program version should be running, detect when it changes, and respond before operational reliability or safety assumptions are affected.

Executive priority

Prioritize this as an operational resilience and assurance issue for ICS environments. Leaders should ask whether asset owners maintain expected program versions, whether device and protocol evidence is retained, and whether SOC/IR teams can distinguish approved engineering activity from unexpected program download or modification events. The supplied ATT&CK object does not specify platforms, tactics, or threat relationships, so prioritization should be based on local criticality of the controlled process and the organization’s change-control requirements.

Technical view

Validate monitoring around device alarms, ICS automation protocol functions, remote management protocol functions, device configuration logs, application logs, and asset management records. The key analytic question is whether a program download, online edit, program append, or related modification can be correlated against approved change windows and expected program versions. Because the object states that not all devices produce alarms, detection engineering should not depend on a single alarm source; it should compare multiple evidence classes where available.

Likely telemetry

  • Device alarms indicating program download or modification activity
  • ICS automation protocol traffic or logs showing program download or modification functions
  • Remote management protocol activity associated with program download or modification
  • Device configuration logs containing alerts or records of program download activity
  • Device application logs indicating full program download, online edit, or program append functions

Detection direction

  • Inventory which ICS devices can and cannot generate program download alarms; treat missing alarm capability as a coverage gap, not as absence of activity.
  • Correlate observed program download, online edit, or program append events with approved maintenance windows and change records.
  • Compare observed or reported program versions against asset management systems to identify unexpected changes.
  • Tune for legitimate engineering workflows to reduce false positives, while preserving review of changes outside expected windows or involving unexpected assets.
  • Assess whether protocol monitoring and device logs are retained long enough to support incident response and compliance evidence.

Mitigation priorities

  • Establish and maintain authoritative records of expected program versions for relevant ICS assets.
  • Require change-control evidence for program downloads, online edits, and program appends.
  • Enable and retain device configuration and application logs where supported by the device.
  • Supplement device alarms with protocol monitoring where alarms are unavailable or inconsistent.
  • Define IR procedures for validating whether a detected program change was authorized and whether operational risk requires escalation.
Analyst notes and limits

This Glexia take is based on ATT&CK analytic AN1884 in the ICS domain. No ATT&CK tactics, platforms, relationships, aliases, labels, or separate detection field were supplied. The strongest defensible use case is control validation: confirming whether the organization can observe program download or modification activity and reconcile it with expected program versions and approved changes.

The source object provides high-level monitoring guidance only. It does not identify specific products, platforms, protocols, adversaries, procedures, severity, or active exploitation. Local device capabilities, logging configuration, network visibility, asset management quality, and change-control discipline determine practical coverage.

Official MITRE ATT&CK definition

Analytic 1884

Monitor device alarms for program downloads, although not all devices produce such alarms. Monitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols. Consult asset management systems to understand expected program versions. Monitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
89d5f9ad6eb99956...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 89d5f9ad6eb9…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1884
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use