DET0761: Detection of Program Upload
DET0761 is a detection strategy for identifying PLC program uploads, a behavior tied to ATT&CK ICS technique T0845 Program Upload. For leaders, the signifi...
Analyst context for executives and security teams
DET0761 is a detection strategy for identifying PLC program uploads, a behavior tied to ATT&CK ICS technique T0845 Program Upload. For leaders, the significance is not just that a file moved from a controller: a PLC program can reveal how an industrial process works, which may affect operational resilience, incident scoping, and protection of sensitive process logic.
Executive priority
Treat this as a control-validation item for industrial environments where PLC logic is business-critical. Security and operations leaders should ask whether PLC program upload activity is logged, whether authorized engineering uploads are distinguishable from suspicious activity, and whether SOC/IR teams can quickly determine which workstation, jump box, or interfacing device received the program. This supports incident decision-making, audit evidence for change control, and cyber-physical risk management.
Technical view
The supplied ATT&CK object has no official description, detection text, platforms, or tactics, so implementation must be driven by the related technique context: detecting attempts to upload a program from a PLC using vendor software to a workstation, jump box, or interfacing device. SOC and detection teams should validate visibility across engineering workstations, jump boxes, controller communications, and any available PLC or vendor-software audit logs. Detection logic should focus on program upload/read events, especially outside approved maintenance windows or from unexpected hosts/accounts.
Likely telemetry
- Engineering workstation and jump box host logs showing vendor engineering software execution or file creation associated with PLC programs
- Vendor engineering software logs or project history, where available
- PLC/controller audit or diagnostic logs that record program upload/read activity, where available
- ICS network monitoring that can identify controller-to-workstation program transfer or upload/read operations
- Change-management records, maintenance windows, approved engineer accounts, and asset inventories for correlation
Detection direction
- Baseline legitimate PLC program uploads used for backup, maintenance, troubleshooting, or engineering work to reduce false positives.
- Correlate upload activity with approved change tickets, known engineering workstations, authorized accounts, and scheduled maintenance windows.
- Alert on program uploads to unexpected workstations, jump boxes, or interfacing devices, or uploads involving assets outside normal operational scope.
- Validate that SOC telemetry covers both host-side engineering activity and network/controller-side evidence; many environments have blind spots on PLC audit logs or encrypted/proprietary ICS traffic.
- Use the relationship to T0845 as context: the concern is potential acquisition and study of underlying PLC logic, so IR triage should preserve the received project/program files and identify the source controller and destination system.
Mitigation priorities
- Establish and enforce change-control processes for PLC program uploads, including approved users, assets, and maintenance windows.
- Restrict access to vendor engineering software and PLC communication paths to authorized engineering systems and accounts.
- Maintain asset inventories mapping PLCs, engineering workstations, jump boxes, and interfacing devices to expected operational roles.
- Retain relevant host, engineering software, network, and controller logs long enough to support incident reconstruction and compliance evidence.
- Prepare IR procedures for unauthorized PLC program upload findings, including coordination between security, engineering, and operations teams.
Analyst notes and limits
This take is based on DET0761 and its relationship to T0845 Program Upload. Because the detection strategy object does not provide official detection logic or platform detail, defenders should adapt the guidance to local PLC vendors, engineering workflows, logging capabilities, and maintenance practices.
The supplied ATT&CK fields are sparse: no official description, detection text, platforms, tactics, aliases, or labels are provided for DET0761. No active exploitation, attribution, impact, or guaranteed detection coverage is implied.
Detection of Program Upload
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0845 | Program Upload | This object detects Program Upload. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 009fdeace691… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0761Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.