Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T0845: Program Upload

Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.

ICST0845TechniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Program Upload is an ICS technique where an adversary attempts to copy control logic from a PLC or similar controller to a workstation, jump box, or interfacing device. For leaders, the issue is not just data theft: controller logic can reveal how an industrial process works, including safety or automation dependencies, which can shape later disruption or manipulation decisions.

Executive priority

Prioritize this behavior where PLCs, safety controllers, DCS controllers, or PACs support critical operations. Ask whether only approved, authenticated users and systems can read controller logic, whether uploads are logged or reviewed, and whether OT network paths limit who can reach embedded control assets. This is relevant to operational resilience, incident response scoping, and compliance evidence for access control and segmentation in industrial environments.

Technical view

ATT&CK provides no official detection text for T0845, but the relationship to DET0761 indicates a detection strategy exists for Program Upload. SOC, OT security, and IR teams should validate visibility into engineering software activity, controller read/upload operations, network sessions between workstations or jump boxes and controllers, and authentication or authorization decisions around controller access. Because tactics and platforms are not specified for the technique, detection engineering should be anchored to local asset inventories and the targeted asset relationships: PLCs, safety controllers, DCS controllers, and PACs.

Likely telemetry

  • Engineering workstation or jump box activity involving vendor software used to read or upload controller programs
  • Controller access logs or audit records showing program read/upload events where available
  • Network traffic between workstations, interfacing devices, and embedded controllers
  • Authentication and authorization records for users, devices, and software processes accessing controller logic
  • OT firewall, gateway, allowlist, or protocol-filtering logs showing permitted or denied controller communications

Detection direction

  • Validate whether DET0761-aligned monitoring can identify controller program upload behavior in the local environment.
  • Baseline legitimate engineering and maintenance uploads so alerts can distinguish expected change activity from unusual source systems, users, timing, or controller targets.
  • Correlate upload-like activity with access-control evidence; a permitted network session alone may not prove authorized logic access.
  • Pay special attention to blind spots where legacy controllers lack native authentication, detailed audit logs, or user attribution.
  • Use relationship context from Triton and INCONTROLLER only as evidence that known ICS software has used this technique; do not treat that relationship as proof of current activity.

Mitigation priorities

  • Enforce authorization so only authenticated users with approved roles can read, manipulate, or execute controller functions, consistent with M0800 Authorization Enforcement.
  • Use Access Management controls or gateways where field devices cannot sufficiently identify or authenticate users on their own.
  • Require human user authentication and, where appropriate, device and software process authentication before allowing access to controller data or commands.
  • Use communication authenticity protections when controller communications cross untrusted networks.
  • Restrict reachable controller paths with network segmentation, network allowlists, and protocol-aware traffic filtering, especially around automation protocols and engineering access paths.
Analyst notes and limits

This technique targets embedded ICS control assets including PLCs, safety controllers, DCS controllers, and PACs. The supplied relationships list Triton and INCONTROLLER as software that use Program Upload; INCONTROLLER’s description includes downloading logic and interacting with ICS devices and protocols. Those relationships support threat-informed prioritization, but local logs, asset ownership, and maintenance procedures are required to determine whether observed uploads are authorized.

The ATT&CK object does not specify tactics, technique platforms, aliases, labels, or official detection text. The mitigation descriptions are relationship-derived and partially truncated in the supplied fields, so recommendations are limited to the named mitigation themes and provided descriptions. No claim is made about active exploitation, attribution, customer exposure, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Program Upload

Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Malware ICS

S1045: INCONTROLLER

INCONTROLLER is custom malware that includes multiple modules tailored towards ICS devices and technologies, including Schneider Electric and Omron PLCs as well as OPC UA, Modbus, and CODESYS protocols. INCONTROLLER has the ability to discover specific devices, download logic on the devices, and exploit platform-specific vulnerabilities. As of September 2022, some security researchers assessed INCONTROLLER was developed by CHERNOVITE.[1][2][3][4][5]

Engineering WorkstationField Controller/RTU/PLC/IEDSafety Instrumented System/Protection Relay
Relationship explorer

All related ATT&CK context

mitigates · Mitigation M0813: Software Process and Device Authentication ICS mitigates · Mitigation M0802: Communication Authenticity ICS targets · ICS Asset A0017: Distributed Control System (DCS) Controller ICS targets · ICS Asset A0003: Programmable Logic Controller (PLC) ICS detects · Detection Strategy DET0761: Detection of Program Upload ICS targets · ICS Asset A0010: Safety Controller ICS mitigates · Mitigation M0800: Authorization Enforcement ICS mitigates · Mitigation M0801: Access Management ICS mitigates · Mitigation M0930: Network Segmentation ICS uses · Malware S1009: Triton ICS uses · Malware S1045: INCONTROLLER ICS mitigates · Mitigation M0937: Filter Network Traffic ICS mitigates · Mitigation M0807: Network Allowlists ICS targets · ICS Asset A0018: Programmable Automation Controller (PAC) ICS mitigates · Mitigation M0804: Human User Authentication ICS
Mitigations

Mitigation direction

Mitigation ICS

M0813: Software Process and Device Authentication

Require the authentication of devices and software processes where appropriate. Devices that connect remotely to other systems should require strong authentication to prevent spoofing of communications. Furthermore, software processes should also require authentication when accessing APIs.

Mitigation ICS

M0802: Communication Authenticity

When communicating over an untrusted network, utilize secure network protocols that both authenticate the message sender and can verify its integrity. This can be done either through message authentication codes (MACs) or digital signatures, to detect spoofed network messages and unauthorized connections.

Mitigation ICS

M0800: Authorization Enforcement

The device or system should restrict read, manipulate, or execute privileges to only authenticated users who require access based on approved security policies. Role-based Access Control (RBAC) schemes can help reduce the overhead of assigning permissions to the large number of devices within an ICS. For example, IEC 62351 provides examples of roles used to support common system operations within the electric power sector [1], while IEEE 1686 defines standard permissions for users of IEDs. [2]

Mitigation ICS

M0801: Access Management

Access Management technologies can be used to enforce authorization polices and decisions, especially when existing field devices do not provide sufficient capabilities to support user identification and authentication. [1] These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials. [2]

Mitigation ICS

M0930: Network Segmentation

Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Restrict network access to only required systems and services. In addition, prevent systems from other networks or business functions (e.g., enterprise) from accessing critical process control systems. For example, in IEC 62443, systems within the same secure level should be grouped into a zone, and access to that zone is restricted by a conduit, or mechanism to restrict data flows between zones by segmenting the network. [1] [2]

Mitigation ICS

M0937: Filter Network Traffic

Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. Perform inline allow/denylisting of network messages based on the application layer (OSI Layer 7) protocol, especially for automation protocols. Application allowlists are beneficial when there are well-defined communication sequences, types, rates, or patterns needed during expected system operations. Application denylists may be needed if all acceptable communication sequences cannot be defined, but instead a set of known malicious uses can be denied (e.g., excessive communication attempts, shutdown messages, invalid commands). Devices performing these functions are often referred to as deep-packet inspection (DPI) firewalls, context-aware firewalls, or firewalls blocking specific automation/SCADA protocol aware firewalls. [1]

Mitigation ICS

M0807: Network Allowlists

Network allowlists can be implemented through either host-based files or system hosts files to specify what connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in Filter Network Traffic mitigation.

Mitigation ICS

M0804: Human User Authentication

Require user authentication before allowing access to data or accepting commands to a device. While strong multi-factor authentication is preferable, it is not always feasible within ICS environments. Performing strong user authentication also requires additional security controls and processes which are often the target of related adversarial techniques (e.g., Valid Accounts, Default Credentials). Therefore, associated ATT&CK mitigations should be considered in addition to this, including Multi-factor Authentication, Account Use Policies, Password Policies, User Account Management, Privileged Account Management, and User Account Control.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
8effb3bafbadc076...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 8effb3bafbad…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack T0845
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use