S1045: INCONTROLLER
INCONTROLLER is custom malware that includes multiple modules tailored towards ICS devices and technologies, including Schneider Electric and Omron PLCs as well as OPC UA, Modbus, and CODESYS protocols. INCONTROLLER has the ability to discover specific devices, download logic on the devices, and exploit platform-specific vulnerabilities. As of September 2022, some security researchers assessed INCONTROLLER was developed by CHERNOVITE.[1][2][3][4][5]
Analyst context for executives and security teams
INCONTROLLER matters because it is described as custom malware built for industrial control environments, including engineering workstations, PLC/RTU/IED-class field devices, safety/protection systems, and Windows. Its documented capabilities map to discovery of ICS assets, interaction with industrial protocols such as OPC UA, Modbus, and CODESYS, controller logic upload/download, parameter changes, operating mode changes, and use of credentials or vulnerabilities. For leaders, the key issue is not a generic malware infection; it is whether the organization can see and control changes to the systems that run physical processes.
Executive priority
Treat INCONTROLLER as a control-system resilience and governance test case. Executives should ask whether engineering workstations, controller access, safety/protection assets, industrial protocol traffic, and program-change workflows are monitored and auditable. Priority decisions should focus on OT segmentation, controlled remote access, credential governance, vulnerability exposure on affected ICS technologies, and incident response playbooks for unauthorized controller logic or parameter changes. This object is especially relevant where business continuity, safety, regulatory evidence, or cyber-physical process integrity depends on PLC and engineering workstation trust.
Technical view
ATT&CK provides no official detection text for INCONTROLLER, so SOC and IR teams should validate coverage against the related behaviors: remote and multicast discovery, port scanning, remote system information discovery, point/tag identification, program upload/download including Download All, controller mode changes, parameter modification, unauthorized command messages, lateral tool transfer, remote services, connection proxying, use of valid or hardcoded credentials, exploitation for privilege escalation, and data destruction. Detection engineering should be grounded in the listed platforms and protocols: engineering workstations, field controllers/RTUs/PLCs/IEDs, safety instrumented systems/protection relays, Windows, Schneider Electric and Omron PLC contexts, OPC UA, Modbus, and CODESYS.
Likely telemetry
- Engineering workstation process, file, authentication, and remote-service logs
- Windows endpoint telemetry from OT workstations and jump hosts
- OT network traffic metadata and packet/protocol logs for OPC UA, Modbus, CODESYS, and vendor engineering communications
- Controller and engineering software audit logs for program upload, program download, Download All, online edits, and operating mode changes
- Asset inventory and passive discovery data showing PLC/RTU/IED make, model, firmware, role, and network location
Detection direction
- Baseline normal engineering workstation-to-controller relationships and alert on new hosts performing discovery, program transfer, parameter changes, or command messages.
- Correlate industrial protocol events with approved maintenance windows and change tickets; program downloads, Download All operations, and controller mode changes should have strong business justification.
- Tune discovery detections for OT realities: port scans and multicast discovery may overlap with asset inventory tools, so validate source, schedule, protocol, and destination scope before escalating.
- Monitor for point/tag enumeration and remote system information discovery because these behaviors can precede process-aware manipulation.
- Review credential use across engineering tools and controllers, especially shared, default, service, or hardcoded credentials; anomalous successful use may be more important than failed logons in OT.
Mitigation priorities
- Start with asset and communication mapping for engineering workstations, PLCs/RTUs/IEDs, safety/protection systems, and the protocols named in the ATT&CK description.
- Restrict and monitor engineering workstation access to controllers; separate routine operations from privileged engineering functions such as program download and mode changes.
- Enforce change control for logic, parameter, firmware, and configuration updates, with independent validation against known-good controller projects where feasible.
- Harden credential practices for OT accounts and vendor tools: remove unnecessary shared/default access, limit service accounts, and document unavoidable hardcoded-credential risks.
- Segment OT networks and constrain remote services, proxy paths, and inter-segment flows to approved sources and destinations.
Analyst notes and limits
This take is based on the supplied ATT&CK S1045 malware object, its official description, external references, listed platforms, and relationship context. The object states that INCONTROLLER includes modules tailored to ICS devices and technologies, including Schneider Electric and Omron PLCs and OPC UA, Modbus, and CODESYS protocols. The relationship set is unusually decision-relevant because it links the malware to both preparatory behaviors, such as discovery and credential use, and potentially process-impacting behaviors, such as program download, parameter modification, command messages, mode changes, and data destruction.
MITRE did not provide official detection guidance or ATT&CK tactics for this object in the supplied fields. The relationships identify behaviors associated with the malware, but they do not prove local exposure, current activity, or detection coverage. Environment-specific validation is required to determine whether the relevant ICS technologies, protocols, logging sources, credentials, and change-control processes exist and are monitored.
INCONTROLLER
INCONTROLLER is custom malware that includes multiple modules tailored towards ICS devices and technologies, including Schneider Electric and Omron PLCs as well as OPC UA, Modbus, and CODESYS protocols. INCONTROLLER has the ability to discover specific devices, download logic on the devices, and exploit platform-specific vulnerabilities. As of September 2022, some security researchers assessed INCONTROLLER was developed by CHERNOVITE.[1][2][3][4][5]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0846.003 | Multicast Discovery Sub-technique | INCONTROLLER can perform a UDP multicast scan of UDP port 27127 to identify Schneider PLCs that use that port for the NetManage protocol.CitationDragos-PipedreamCitationWylie-22 |
| ICS | T0861 | Point & Tag Identification | INCONTROLLER can remotely read the OCP UA structure from devices.CitationCISA-AA22-103A |
| ICS | T0869 | Standard Application Layer Protocol | INCONTROLLER can remotely send commands to a malicious agent uploaded on Omron PLCs over HTTP or HTTPS.CitationCISA-AA22-103A |
| ICS | T0886 | Remote Services | INCONTROLLER can use the CODESYS protocol to remotely connect to Schneider PLCs and perform maintenance functions on the device.CitationWylie-22 INCONTROLLER can use Telnet to upload payloads and execute commands on Omron PLCs. CitationBrubaker-IncontrollerCitationDragos-Pipedream The malware can also use HTTP-based CGI scripts (e.g., cpu.fcgi, ecat.fcgi) to gain administrative access to the device.CitationWylie-22 |
| ICS | T1692.001 | Command Message Sub-technique | INCONTROLLER can send custom Modbus commands to write register values on Schneider PLCs.CitationCISA-AA22-103A INCONTROLLER can send write tag values on OPC UA servers.CitationCISA-AA22-103A |
| ICS | T0884 | Connection Proxy | The INCONTROLLER PLCProxy module can add an IP route to the CODESYS gateway running on Schneider PLCs to allow it to route messages through the PLC to other devices on that network. This allows the malware to bypass firewall rules that prevent it from directly communicating with devices on the same network as the PLC.CitationWylie-22 |
| ICS | T0836 | Modify Parameter | INCONTROLLER can use the HTTP CGI scripts on Omron PLCs to modify parameters on EtherCat connected servo drives.CitationWylie-22 |
| ICS | T0858 | Change Operating Mode | INCONTROLLER can establish a remote HTTP connection to change the operating mode of Omron PLCs.CitationDragos-PipedreamCitationWylie-22 |
| ICS | T0843.001 | Download All Sub-technique | INCONTROLLER can modified program logic on Omron PLCs using either the program download or backup transfer functions available through the HTTP server.CitationWylie-22 |
| ICS | T0859 | Valid Accounts | INCONTROLLER can brute force password-based authentication to Schneider PLCs over the CODESYS protocol (UDP port 1740).CitationCISA-AA22-103A INCONTROLLER can perform brute force guessing of passwords to OPC UA servers using a predefined list of passwords.CitationCISA-AA22-103ACitationWylie-22 |
| ICS | T0846 | Remote System Discovery | INCONTROLLER can use the FINS (Factory Interface Network Service) protocol to scan for and obtain MAC address associated with Omron devices.CitationCISA-AA22-103ACitationWylie-22 |
| ICS | T0843 | Program Download | INCONTROLLER has used the CODESYS protocol to download programs to Schneider PLCs.CitationWylie-22CitationBrubaker-Incontroller INCONTROLLER has also modified program logic on Omron PLCs using either the program download or backup transfer functions available through the HTTP server.CitationWylie-22 |
| ICS | T0888 | Remote System Information Discovery | INCONTROLLER includes a library that creates Modbus connections with a device to request its device ID.CitationCISA-AA22-103ACitationWylie-22 |
| ICS | T0867 | Lateral Tool Transfer | INCONTROLLER can use a Telnet session to load a malware implant on Omron PLCs.CitationCISA-AA22-103ACitationWylie-22 |
| ICS | T0846.001 | Port Scan Sub-technique | INCONTROLLER has the ability to perform scans for TCP port 4840 to identify devices running OPC UA servers.CitationWylie-22 |
| ICS | T0845 | Program Upload | INCONTROLLER can use the CODESYS protocol to upload programs from Schneider PLCs.CitationWylie-22CitationBrubaker-Incontroller INCONTROLLER can obtain existing program logic from Omron PLCs by using either the program upload or backup functions available through the HTTP server.CitationWylie-22 |
| ICS | T0890 | Exploitation for Privilege Escalation | INCONTROLLER has the ability to exploit a vulnerable Asrock driver (AsrDrv103.sys) using CVE-2020-15368 to load its own unsigned driver on the system.CitationWylie-22 |
| ICS | T0842 | Network Sniffing | INCONTROLLER can deploy Tcpdump to sniff network traffic and collect PCAP files.CitationWylie-22 |
| ICS | T0809 | Data Destruction | INCONTROLLER can wipe the memory of Omron PLCs and reset settings through the remote HTTP service.CitationBrubaker-IncontrollerCitationDragos-PipedreamCitationWylie-22 |
| ICS | T1694.002 | Hardcoded Credentials Sub-technique | INCONTROLLER can login to Omron PLCs using hardcoded credentials, which is documented in CVE-2022-34151.CitationWylie-22 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | e6e2b39159f4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CISA-AA22-103A
DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.
Open source URL -
[2]
Brubaker-Incontroller
Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.
Open source URL -
[3]
Dragos-Pipedream
DRAGOS. (2022, April 13). Pipedream: Chernovite’s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.
Open source URL -
[4]
Schneider-Incontroller
Schneider Electric. (2022, April 14). Schneider Electric Security Bulletin: “APT Cyber Tools Targeting ICS/SCADA Devices” . Retrieved September 28, 2022.
Open source URL -
[5]
Wylie-22
Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.
Open source URL -
[6]
PIPEDREAM
(Citation: Dragos-Pipedream)(Citation: Wylie-22)
-
[7]
mitre-attack S1045Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.