Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN2058: Analytic 2058

Monitor device alarms for program downloads, although not all devices produce such alarms.

Monitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols.

Consult asset management systems to understand expected program versions.

Monitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.

ICSAN2058AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because unauthorized or unexpected program downloads in industrial control environments can represent a direct change to how a device behaves. For executives and operations leaders, the key issue is not just detection of a file transfer; it is whether the organization can prove that controller or device logic changes are expected, approved, and aligned with known asset versions. MITRE notes that some devices generate alarms for program downloads, some protocols may expose download or modification functions, and configuration or application logs may show full downloads, online edits, or appended program changes.

Executive priority

Prioritize this as an operational resilience and change-control evidence question for ICS environments. Leaders should ask whether engineering changes to automation devices are visible to the SOC or OT operations team, whether expected program versions are tracked in asset management, and whether incident responders can quickly distinguish authorized maintenance from suspicious modification. The business value is strongest where process safety, uptime, auditability, or cyber-physical consequences depend on trusted device logic.

Technical view

SOC, OT monitoring, and incident response teams should validate whether they can observe program download or modification activity through device alarms, ICS automation protocol monitoring, remote management protocol monitoring, configuration logs, application logs, and asset management records. Because MITRE provides no specific platform, tactic, or formal detection logic for this analytic, implementation should be environment-specific and tied to known device types, approved engineering workflows, and expected program versions.

Likely telemetry

  • Device alarms indicating program download activity, where supported by the device
  • ICS automation protocol traffic showing program download or modification functions
  • Remote management protocol activity related to program download or modification
  • Device configuration logs that alert on program download events
  • Device application logs showing full program download, online edit, or program append events

Detection direction

  • Confirm which ICS devices actually produce program download alarms; MITRE explicitly notes that not all devices do.
  • Baseline approved engineering activity and expected program versions so alerts can be evaluated against legitimate maintenance.
  • Monitor protocol functions associated with program download or modification, rather than relying only on endpoint-style logs.
  • Correlate device alarms, protocol observations, configuration logs, application logs, and asset inventory to reduce ambiguity.
  • Tune for maintenance windows and authorized engineering work to avoid treating every program change as suspicious.

Mitigation priorities

  • Establish authoritative asset management for expected device program versions.
  • Require approved change-control records for program downloads, online edits, and program appends.
  • Ensure device configuration and application logs are collected where technically available.
  • Add network or protocol monitoring for ICS automation and remote management protocols where feasible.
  • Create IR playbooks for validating whether a detected program change was authorized and whether the running program matches the expected version.
Analyst notes and limits

This is an ICS ATT&CK detection analytic, external ID AN2058, tied to monitoring program download or modification indicators. The supplied object does not include tactics, platforms, relationships, or a separate official detection field, so the take focuses on the official description: alarms, protocol functions, configuration/application logs, and asset management version checks.

Coverage depends heavily on local device capabilities, logging configuration, protocol visibility, and the quality of asset/version records. The supplied ATT&CK object does not identify specific vendors, platforms, techniques, adversaries, campaigns, or active exploitation, so those should not be inferred.

Official MITRE ATT&CK definition

Analytic 2058

Monitor device alarms for program downloads, although not all devices produce such alarms.

Monitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols.

Consult asset management systems to understand expected program versions.

Monitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
03d72ad794d17570...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 03d72ad794d1…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN2058
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use