Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1893: Analytic 1893

Program uploads may be observable in ICS management protocols or file transfer protocols. Note when protocol functions related to program uploads occur. In cases where the ICS protocols is not well understood, one option is to examine network traffic for the program files themselves using signature-based tools. Monitor device communication patterns to identify irregular bulk transfers of data between the embedded ICS asset and other nodes within the network. Note these indicators are dependent on the profile of normal operations and the capabilities of the industrial automation protocols involved (e.g., partial program uploads). Monitor for device alarms produced when program uploads occur, although not all devices will produce such alarms.

ICSAN1893AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about recognizing possible program uploads from embedded ICS assets by watching management or file-transfer protocols, unusual bulk data movement, signatures of program files, and device alarms when available. For leaders, the practical value is protecting operational continuity: unauthorized or unexpected movement of controller logic or program files can indicate activity that deserves rapid engineering and incident-response review, even when traditional IT alerts are quiet.

Executive priority

Prioritize this as an ICS visibility and response-readiness question rather than a generic network alert. Leadership should ask whether the organization knows what normal program upload activity looks like, who is authorized to perform it, whether such events are logged or alarmed, and whether SOC and operations teams have a joint process to validate them. This supports operational resilience, audit evidence for change control, and faster incident decision-making in cyber-physical environments.

Technical view

SOC, OT monitoring, and IR teams should validate whether ICS management protocols, file transfer protocols, and device alarms can expose program upload events. Where protocol semantics are not well understood, the supplied guidance supports inspecting network traffic for recognizable program files using signature-based tooling. Detection should be baseline-driven: irregular bulk transfers between embedded ICS assets and other network nodes are meaningful only when compared with normal operations and the capabilities of the relevant industrial automation protocols, including cases such as partial program uploads.

Likely telemetry

  • ICS management protocol traffic metadata and, where available, parsed protocol functions related to program uploads
  • File transfer protocol logs or network traffic involving embedded ICS assets
  • Network flow records showing bulk transfers between embedded ICS assets and other nodes
  • Packet capture or deep packet inspection evidence capable of identifying program file signatures
  • Device alarms or event records generated when program uploads occur

Detection direction

  • Confirm whether monitoring can identify program-upload-related functions in the relevant ICS or file transfer protocols.
  • Build baselines for normal communication patterns and expected data volumes between embedded ICS assets and peer systems before treating bulk transfer as suspicious.
  • Tune detections to account for authorized maintenance, backups, engineering workstation activity, and vendor support workflows to reduce false positives.
  • Where protocols are poorly understood, evaluate signature-based identification of program files in network traffic, while documenting coverage limits.
  • Do not rely only on device alarms, because the official description notes that not all devices will produce alarms for uploads.

Mitigation priorities

  • Establish and enforce an authorized change-control process for program upload activity in ICS environments.
  • Inventory which embedded ICS assets, engineering systems, and network paths can participate in program uploads.
  • Ensure network monitoring covers relevant ICS management and file transfer paths where feasible.
  • Retain sufficient network and device-alarm evidence to support incident response and compliance review.
  • Create escalation procedures that bring OT engineering into triage when unexpected upload-like activity is observed.
Analyst notes and limits

No ATT&CK tactics, platforms, aliases, labels, or relationship context were supplied for this analytic. The official description is detection-oriented and focused on observable ICS protocol behavior, bulk transfer patterns, file signatures, and device alarms. The strongest defensive use is as a validation checklist for OT network visibility and change-control evidence rather than as a standalone high-confidence alert.

The object provides no official detection field beyond the description, no platforms, and no relationships to techniques or mitigations. Local protocol knowledge, asset inventory, baselines, and engineering maintenance records are required to determine what is normal or suspicious in a specific environment.

Official MITRE ATT&CK definition

Analytic 1893

Program uploads may be observable in ICS management protocols or file transfer protocols. Note when protocol functions related to program uploads occur. In cases where the ICS protocols is not well understood, one option is to examine network traffic for the program files themselves using signature-based tools. Monitor device communication patterns to identify irregular bulk transfers of data between the embedded ICS asset and other nodes within the network. Note these indicators are dependent on the profile of normal operations and the capabilities of the industrial automation protocols involved (e.g., partial program uploads). Monitor for device alarms produced when program uploads occur, although not all devices will produce such alarms.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
aef917a46fa1b6e9...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle aef917a46fa1…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1893
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use