DET0913: Detection of Program Download All
DET0913 is an ICS detection strategy for identifying a “Download All” event: a full PLC program and configuration download. This matters because the relate...
Analyst context for executives and security teams
DET0913 is an ICS detection strategy for identifying a “Download All” event: a full PLC program and configuration download. This matters because the related ATT&CK technique describes overwriting the entire PLC project, which may require stopping the PLC and can adversely affect control processes. For leaders, this is less about a routine file transfer and more about knowing whether the organization can distinguish authorized engineering changes from activity that could disrupt operations.
Executive priority
Prioritize this as an operational resilience and change-control visibility question. Executives should ask whether full PLC downloads are formally authorized, visible to the SOC or OT operations team, and reviewable after the fact. Because the supplied ATT&CK context ties this behavior to access from a workstation with vendor-specific PLC programming software, identity/access governance and engineering workstation oversight are key decision points.
Technical view
SOC, OT, and IR teams should validate whether they can observe and investigate full PLC program/configuration downloads, especially events that overwrite an entire project or require PLC stop/start activity. Since the ATT&CK object provides no official detection logic, platforms, or tactics, teams should base detection engineering on local OT architecture, controller capabilities, engineering workstation logs, and approved change-management records.
Likely telemetry
- PLC/controller program download or configuration change records, where available
- Engineering workstation activity involving vendor-specific PLC programming software
- Controller state changes such as stop/run transitions associated with downloads
- OT network or asset monitoring records that can show engineering workstation-to-PLC project transfer activity
- Change-management tickets, maintenance windows, and authorized engineering approval records
Detection direction
- Validate that full downloads can be distinguished from smaller edits or routine engineering activity.
- Correlate PLC download events with approved maintenance windows and named engineering users or workstations.
- Tune for high-risk context: full overwrite events, unexpected PLC stop activity, or downloads from unapproved engineering workstations.
- Expect false positives from legitimate commissioning, maintenance, and major project changes; require change-control correlation rather than alerting on every engineering action alone.
- Document blind spots where controller logs, engineering workstation logs, or OT network visibility are unavailable.
Mitigation priorities
- Limit use of vendor-specific PLC programming software to authorized engineering workstations and personnel.
- Require formal approval and maintenance-window tracking for full PLC downloads.
- Ensure OT operations and incident response teams have procedures for validating whether a full download was authorized.
- Maintain recovery readiness for overwritten PLC program/configuration states consistent with local engineering practices.
- Use detection results as compliance and audit evidence for control-system change governance.
Analyst notes and limits
This take is based on ATT&CK DET0913 and its stated relationship to T0843.001 Download All. The practical emphasis is on visibility, authorization, and investigation of full PLC downloads because the related technique describes overwriting PLC program/configuration and potentially stopping the PLC.
The ATT&CK detection strategy has no official description, detection text, platforms, or tactics supplied. Local controller models, engineering tools, logging capability, and OT network architecture are required to define precise analytics or coverage claims.
Detection of Program Download All
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0843.001 | Download All Sub-technique | This object detects Download All. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ff766d9eb32d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0913Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.