Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0906: Detection of Siemens Project File Format Infection

This detection strategy matters because infected Siemens PLC project files can turn normal engineering artifacts into a path for execution, persistence, or...

ICSDET0906Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because infected Siemens PLC project files can turn normal engineering artifacts into a path for execution, persistence, or lateral movement in an ICS environment. For leaders, the practical issue is not only malware detection; it is whether project files used by engineering teams are controlled, versioned, reviewed, and recoverable before they are trusted in operations.

Executive priority

Prioritize this where Siemens Step 7, WinCC, or related PLC project files are part of operational technology workflows. The key business question is whether the organization can prove project-file integrity during maintenance, vendor access, incident response, and audit review. Gaps can affect operational resilience because compromised engineering artifacts may be reused, copied, or restored across environments.

Technical view

The ATT&CK object has no official description, detection text, platforms, or tactics, but it detects ICS technique T0873.001, Siemens Project File Format. SOC, OT, and IR teams should validate whether they can identify creation, modification, import, transfer, and use of Siemens PLC project files, then correlate those events to approved engineering change activity. Focus on integrity validation, known-good baselines, project repository history, engineering workstation activity, and evidence that files introduced from external media, vendors, backups, or shared locations were reviewed before use.

Likely telemetry

  • Engineering workstation file creation, modification, and execution context for Siemens PLC project files
  • Project repository, version-control, backup, or file-share history showing project-file changes
  • File integrity monitoring or hash comparison against approved project baselines
  • User authentication and access logs for engineers, vendors, and administrators modifying project files
  • Removable media, file transfer, and network share activity involving project files

Detection direction

  • Validate that Siemens project-file locations are inventoried and monitored; unknown storage locations are a likely blind spot.
  • Tune detections around unauthorized or unusual project-file modification, import, or movement, especially outside approved maintenance windows or change tickets.
  • Compare project files against approved hashes, backups, or version history rather than relying only on endpoint malware alerts.
  • Correlate file changes with user identity, source system, removable media or file-share activity, and documented engineering work.
  • Expect false positives from legitimate engineering changes, vendor maintenance, restoration from backups, and project migration; require change context before escalation.

Mitigation priorities

  • Inventory Siemens PLC project files, their approved storage locations, owners, and recovery sources.
  • Restrict write access to project files and repositories to authorized engineering roles and approved maintenance processes.
  • Maintain known-good project baselines, backups, and version history so suspicious changes can be compared and rolled back.
  • Require review or validation before importing project files from vendors, removable media, backups, or shared locations.
  • Integrate project-file integrity checks into OT incident response and change-management procedures.
Analyst notes and limits

DET0906 is a detection strategy object in the ICS ATT&CK domain and is linked to T0873.001, Siemens Project File Format. The relationship provides the main defensive context: infected Siemens PLC project files may support execution, persistence, and lateral movement objectives. This take intentionally frames detection around integrity, change control, and evidence collection rather than assuming a specific vendor tool or guaranteed detection method.

The supplied ATT&CK object has no official description or detection guidance, and platforms and tactics are not specified for the detection strategy. Recommendations are therefore conservative and based on the related technique description and external reference only. Environment-specific Siemens tooling, file locations, logging availability, and engineering change processes must be confirmed locally.

Official MITRE ATT&CK definition

Detection of Siemens Project File Format Infection

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
ICS T0873.001 Siemens Project File Format Sub-technique This object detects Siemens Project File Format.
Relationship explorer

All related ATT&CK context

detects · Technique T0873.001: Siemens Project File Format ICS
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d0f8a9222252c323...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d0f8a9222252…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0906
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use