DET0914: Detection of Program Append
Program Append matters because it can change part of an existing PLC program without necessarily stopping the controller or interrupting the physical proce...
Analyst context for executives and security teams
Program Append matters because it can change part of an existing PLC program without necessarily stopping the controller or interrupting the physical process. For executives and operations leaders, the risk is not just “code changed,” but that a control-system change may occur quietly enough to avoid obvious downtime-based alarms. The key defensive question is whether the organization can prove when PLC logic was appended, by whom, from which engineering workstation, and whether the change was authorized.
Executive priority
Treat this as an OT change-control and incident-readiness priority. Because the related technique depends on access to a workstation with vendor-specific PLC programming software, leaders should validate governance over engineering workstations, authorized PLC programming activity, and evidence retention for controller changes. This supports operational resilience, audit evidence, and faster incident decisions when unexplained process behavior or unauthorized logic changes are suspected.
Technical view
ATT&CK provides no specific detection text, platforms, or tactics for DET0914, so teams should build validation around the related ICS technique T0843.003: Program Append. SOC, OT, and IR teams should confirm whether they can observe PLC program modification events, engineering workstation activity, authentication or session activity to controllers, and change-management records. Detection should focus on distinguishing authorized engineering changes from unexpected append activity, especially changes initiated from systems that should not be performing PLC programming.
Likely telemetry
- PLC or controller change logs where available
- Engineering workstation logs
- Vendor-specific PLC programming software activity records where available
- Authentication and access records for users performing controller changes
- Network communications between engineering workstations and PLCs/controllers
Detection direction
- Validate whether PLC program append or logic modification events are logged at all; many environments may lack consistent controller-level visibility.
- Correlate controller changes with approved maintenance windows, change tickets, and authorized engineering personnel.
- Baseline which workstations are expected to run vendor-specific PLC programming software and alert on programming activity from unexpected systems.
- Tune detections to account for legitimate engineering work, commissioning, troubleshooting, and scheduled maintenance to reduce false positives.
- Prioritize investigation when append-like activity occurs without a matching approval record, from an unusual workstation, or during an unexpected operational period.
Mitigation priorities
- Maintain a current inventory of PLCs, engineering workstations, and systems with vendor-specific PLC programming software installed.
- Enforce change-control procedures for PLC logic modifications, including documented approvals and maintenance windows.
- Restrict and monitor access to engineering workstations and PLC programming tools based on operational need.
- Ensure logs or records relevant to PLC logic changes are retained and accessible to SOC/OT responders.
- Periodically test whether the organization can reconstruct who changed PLC logic, from where, and under what authorization.
Analyst notes and limits
This Glexia take is based on DET0914 and its relationship to T0843.003 Program Append. The source object is sparse: it has no official description, no official detection guidance, no specified platforms, and no listed tactics. The strongest defensible interpretation is that detection value depends on visibility into PLC change activity and the engineering workstations used to perform programming actions.
No active exploitation, attribution, affected vendors, platforms, tactics, or guaranteed detection coverage are supplied in the provided ATT&CK fields. Any practical detection content must be validated against the local OT environment, PLC vendor logging capabilities, engineering workstation controls, and change-management process maturity.
Detection of Program Append
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0843.003 | Program Append Sub-technique | This object detects Program Append. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | bd31fb023c00… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0914Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.