Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN2056: Analytic 2056

Monitor device alarms for program downloads, although not all devices produce such alarms.

Monitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols.

Consult asset management systems to understand expected program versions.

Monitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.

ICSAN2056AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Analytic 2056 is about validating whether an ICS environment can notice program downloads or modifications to automation devices. For leaders, the business value is not simply “detecting a change”; it is knowing whether unauthorized or unexpected logic changes could be identified quickly enough to protect operational continuity, safety-relevant processes, and incident response decision-making. The ATT&CK source is explicit that not all devices produce alarms, so this analytic should drive a coverage review rather than an assumption that monitoring already exists.

Executive priority

Prioritize this as an operational resilience and audit-evidence question: can the organization prove what control logic is expected, when it changed, and whether the change was authorized? Security and operations leaders should ask whether asset management contains expected program versions, whether device and configuration logs are retained, and whether SOC/IR teams know how to escalate unexpected program download, online edit, or append events. This is especially important where ICS process integrity is tied to production uptime, safety, or regulatory assurance.

Technical view

SOC, detection engineering, and IR teams should validate monitoring around device alarms, ICS automation protocol activity, remote management protocol activity, configuration logs, application logs, and asset-management records for expected program versions. The analytic is not tied to a specific ATT&CK tactic or platform in the supplied object, so implementation must be mapped locally to the actual controllers, engineering workstations, management tools, and protocols in use. Detection logic should distinguish expected maintenance/programming activity from unexpected program download or modification indicators.

Likely telemetry

  • Device alarms indicating program downloads or modifications
  • ICS automation protocol functions related to program download or modification
  • Remote management protocol activity related to program download or modification
  • Device configuration logs
  • Device application logs showing full program download, online edit, or program append functions

Detection direction

  • Confirm which devices generate alarms for program downloads and which do not; treat non-alarming devices as a visibility gap.
  • Monitor for protocol functions associated with program download or modification where ICS automation or remote management protocols are observable.
  • Correlate observed program change activity with asset management records of expected program versions.
  • Review device configuration and application logs for full downloads, online edits, and append functions.
  • Tune detections around approved maintenance windows and authorized engineering activity to reduce false positives without suppressing unexpected changes.

Mitigation priorities

  • Build and maintain an authoritative inventory of expected device program versions.
  • Enable and retain device alarms, configuration logs, and application logs where supported by the device.
  • Establish change-control evidence for program downloads, online edits, and program append actions.
  • Prioritize visibility improvements for devices that do not produce native program-download alarms.
  • Integrate relevant ICS and remote management telemetry into SOC or managed detection workflows where technically feasible.
Analyst notes and limits

This object is an ATT&CK ICS detection analytic, not a technique description. Its value is strongest as a coverage and evidence checklist for detecting changes to automation programs. The supplied relationship context is empty, and no platforms or tactics are specified, so local asset, protocol, and device knowledge is required to operationalize it.

Official detection content is not provided beyond the description, and no relationships, platforms, tactics, aliases, or labels were supplied. The source also notes that not all devices produce program-download alarms. This take therefore cannot assert detection coverage, specific technologies, active exploitation, attribution, or guaranteed observability.

Official MITRE ATT&CK definition

Analytic 2056

Monitor device alarms for program downloads, although not all devices produce such alarms.

Monitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols.

Consult asset management systems to understand expected program versions.

Monitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a8041f8aeff611bf...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a8041f8aeff6…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN2056
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use