T0873.001: Siemens Project File Format
Adversaries may infect Siemens PLC project files (i.e., Step 7, WinCC, etc.) to achieve Execution, Persistence, and Lateral Movement objectives. Adversaries may modify an existing project file or bring their own project files into the environment.[1]
The ability for an adversary to deploy an infected project file relies on access to a workstation with Siemens PLC programming software installed on it from which a program download can be performed.
Analyst context for executives and security teams
This technique matters because Siemens PLC project files can become a vehicle for malicious logic that reaches control equipment through normal engineering workflows. The business risk is not just malware on a workstation; it is the possibility that a trusted project file used by engineers supports execution, persistence, or lateral movement in an ICS environment. Leaders should treat engineering workstations and project-file handling as high-value control points for operational resilience.
Executive priority
Prioritize governance and evidence around who can access Siemens project files, who can use Siemens PLC programming software, and how program downloads are authorized and verified. This is especially relevant for incident response readiness and audit defensibility because ATT&CK notes the adversary needs access to a workstation with Siemens programming software from which a download can be performed. Budget and control decisions should focus on protecting engineering workstations, validating project integrity, and limiting unauthorized file modification or use.
Technical view
SOC, detection engineering, and IR teams should validate controls around Siemens project file creation, modification, transfer, opening, and download activity from engineering workstations. ATT&CK provides no official detection text, but the related detection strategy is DET0906, Detection of Siemens Project File Format Infection. Defensive validation should therefore focus on whether teams can identify unexpected changes to Step 7, WinCC, or other Siemens PLC project files, correlate those changes to authenticated users and workstations, and review program download events after file changes. Because this is a sub-technique of Project File Infection and targets Workstations, response playbooks should include isolating or preserving engineering workstations and comparing project files against known-valid versions before reuse.
Likely telemetry
- File integrity monitoring or version-control evidence for Siemens PLC project files such as Step 7 and WinCC projects
- Engineering workstation authentication, privilege, and file-access logs
- Records of project file movement into or within the environment
- Siemens engineering software activity where available, especially project open, save, compile, or download-related events
- Program download, program restart, device reboot, or configuration-change evidence from ICS engineering and control-system records where available
Detection direction
- Validate whether DET0906 or equivalent local analytics exist for Siemens project file infection scenarios; ATT&CK does not provide detection implementation details for this object.
- Tune for unauthorized or unusual modification of Siemens project files, especially where followed by engineering software use or program download activity.
- Correlate project-file changes with user identity, workstation, change ticket, maintenance window, and expected engineering activity to reduce false positives from legitimate engineering work.
- Watch for blind spots where engineering workstations are not centrally logged, project folders are excluded from file integrity monitoring, or project files are exchanged through removable media or informal shares without audit trails.
- Maintain known-good project baselines so analysts can distinguish normal engineering updates from unexpected project-file content or configuration changes.
Mitigation priorities
- Restrict file and directory permissions for Siemens project repositories and engineering workstations, aligned with M0922.
- Protect sensitive project files at rest using strong encryption where appropriate, aligned with M0941.
- Use code signing or digital signature verification where available to enforce integrity of binaries and applications involved in the engineering workflow, aligned with M0945.
- Perform recurring audits and integrity checks of systems, permissions, software, configurations, programs, and firmware, aligned with M0947, especially after reboots, program downloads, or program restarts.
- Limit the ability to perform program downloads to authorized engineering workstations and personnel, and require verification against known-valid project states before operational deployment.
Analyst notes and limits
The supplied ATT&CK object links this behavior to Siemens PLC project files and cites the Stuxnet dossier as an external reference. It is also related to Stuxnet software use, but that relationship should be used as historical/contextual tradecraft evidence, not as a claim of current activity. The most important local validation question is whether the organization can prove project-file integrity and authorized engineering workstation use before a PLC program download occurs.
ATT&CK does not specify platforms or tactics directly on this sub-technique and provides no official detection text. The related Workstation asset lists Linux and Windows, and the related Stuxnet software lists Windows, but those should not be treated as technique platform coverage. Local Siemens engineering software versions, logging availability, network architecture, and change-management practices determine what can actually be detected.
Siemens Project File Format
Adversaries may infect Siemens PLC project files (i.e., Step 7, WinCC, etc.) to achieve Execution, Persistence, and Lateral Movement objectives. Adversaries may modify an existing project file or bring their own project files into the environment.[1]
The ability for an adversary to deploy an infected project file relies on access to a workstation with Siemens PLC programming software installed on it from which a program download can be performed.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0873 | Project File Infection | This object subtechnique of Project File Infection. |
Groups, software, and campaigns
S0603: Stuxnet
Stuxnet was the first publicly reported malware to specifically target industrial control systems devices. Stuxnet is a large and complex malware that utilized multiple behaviors, including numerous zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.[1][2][3][4] Stuxnet was discovered in 2010, with some components being used as early as November 2008.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d3cf446726b8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Nicolas Falliere, Liam O Murchu, Eric Chien February 2011
Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.
Open source URL -
[2]
mitre-attack T0873.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.