Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T0889: Modify Program

Adversaries may modify or add a program on a controller to affect how it interacts with the physical process, peripheral devices and other hosts on the network. Modification to controller programs can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append.

Program modification encompasses the addition and modification of instructions and logic contained in Program Organization Units (POU) [1] and similar programming elements found on controllers. This can include, for example, adding new functions to a controller, modifying the logic in existing functions and making new calls from one function to another.

Some programs may allow an adversary to interact directly with the native API of the controller to take advantage of obscure features or vulnerabilities.

ICST0889TechniqueObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Modify Program is material because it concerns changes to controller logic that can alter how industrial equipment behaves. For executives and operations leaders, the issue is not just malware on a workstation; it is whether unauthorized or unvalidated logic changes could affect PLCs, PACs, DCS controllers, or safety controllers that run or protect physical processes.

Executive priority

Prioritize this as an operational resilience and safety-governance risk. Leaders should ask whether controller program changes require authenticated, authorized users; whether approved logic baselines exist; whether integrity checks are performed after downloads, restarts, and reboots; and whether audits can prove who changed what and when. This technique is especially important where programmable controllers support continuous operations or safety-critical functions.

Technical view

ATT&CK provides no official detection text for T0889, but relationship context identifies DET0783 as a detection strategy and mitigations focused on authorization enforcement, human user authentication, code signing, and audit/integrity checks. SOC, OT engineering, and IR teams should validate visibility around controller program downloads, online edits, appended logic, new or modified Program Organization Units, and unexpected calls between program functions. Because the object targets PLCs, PACs, DCS controllers, and safety controllers, validation should be asset-specific and coordinated with engineering change-management processes.

Likely telemetry

  • Controller program change records, including downloads, online edits, and append operations
  • Engineering workstation or controller management activity logs where available
  • Authentication and authorization events for users performing controller access or manipulation
  • Program, firmware, software, and configuration integrity check results
  • Approved logic baselines, hashes, digital signatures, and change-management records

Detection direction

  • Confirm whether DET0783 or equivalent local analytics are mapped to unauthorized or unexpected controller program modification activity.
  • Compare current controller logic and configuration against known-valid baselines, especially after reboots, program downloads, or program restarts as described by the Audit mitigation relationship.
  • Tune detections against approved maintenance windows and documented engineering changes to reduce false positives while preserving alerting for out-of-process edits.
  • Validate coverage separately for PLCs, PACs, DCS controllers, and safety controllers; the ATT&CK object does not provide a universal platform or detection method.
  • Watch for blind spots where controller-native APIs, obscure features, or limited device logging prevent reliable visibility into logic changes.

Mitigation priorities

  • Enforce authorization so only authenticated users with approved roles can read, manipulate, or execute controller functions.
  • Require human user authentication before accepting access or commands to devices, with stronger authentication where feasible in the ICS environment.
  • Use code signing or digital signature verification where supported to prevent untrusted code from executing.
  • Perform periodic audits and integrity checks of controller firmware, software, programs, and configurations against known-valid states.
  • Tie technical controls to formal engineering change management so security teams can distinguish authorized program changes from suspicious modification.
Analyst notes and limits

Relevant relationships identify affected ICS assets as Programmable Logic Controllers, Safety Controllers, DCS Controllers, and Programmable Automation Controllers. The software relationships show Stuxnet and PLC-Blaster as examples associated with this behavior in ATT&CK; they should be used for behavioral context, not as evidence of current activity in any environment.

The supplied ATT&CK object has no official detection text, no listed tactics, and no technique platform value. Local controller models, engineering tools, logging capabilities, and operational change processes are required to determine practical detection and control coverage.

Official MITRE ATT&CK definition

Modify Program

Adversaries may modify or add a program on a controller to affect how it interacts with the physical process, peripheral devices and other hosts on the network. Modification to controller programs can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append.

Program modification encompasses the addition and modification of instructions and logic contained in Program Organization Units (POU) [1] and similar programming elements found on controllers. This can include, for example, adding new functions to a controller, modifying the logic in existing functions and making new calls from one function to another.

Some programs may allow an adversary to interact directly with the native API of the controller to take advantage of obscure features or vulnerabilities.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Malware ICS

S1006: PLC-Blaster

PLC-Blaster is a piece of proof-of-concept malware that runs on Siemens S7 PLCs. This worm locates other Siemens S7 PLCs on the network and attempts to infect them. Once this worm has infected its target and attempted to infect other devices on the network, the worm can then run one of many modules. [1] [2]

Malware ICS

S0603: Stuxnet

Stuxnet was the first publicly reported malware to specifically target industrial control systems devices. Stuxnet is a large and complex malware that utilized multiple behaviors, including numerous zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.[1][2][3][4] Stuxnet was discovered in 2010, with some components being used as early as November 2008.[1]

Windows
Relationship explorer

All related ATT&CK context

mitigates · Mitigation M0947: Audit ICS targets · ICS Asset A0017: Distributed Control System (DCS) Controller ICS uses · Malware S1006: PLC-Blaster ICS targets · ICS Asset A0010: Safety Controller ICS mitigates · Mitigation M0945: Code Signing ICS uses · Malware S0603: Stuxnet ICS mitigates · Mitigation M0800: Authorization Enforcement ICS detects · Detection Strategy DET0783: Detection of Modify Program ICS mitigates · Mitigation M0804: Human User Authentication ICS targets · ICS Asset A0018: Programmable Automation Controller (PAC) ICS targets · ICS Asset A0003: Programmable Logic Controller (PLC) ICS
Mitigations

Mitigation direction

Mitigation ICS

M0947: Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.

Mitigation ICS

M0945: Code Signing

Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.

Mitigation ICS

M0800: Authorization Enforcement

The device or system should restrict read, manipulate, or execute privileges to only authenticated users who require access based on approved security policies. Role-based Access Control (RBAC) schemes can help reduce the overhead of assigning permissions to the large number of devices within an ICS. For example, IEC 62351 provides examples of roles used to support common system operations within the electric power sector [1], while IEEE 1686 defines standard permissions for users of IEDs. [2]

Mitigation ICS

M0804: Human User Authentication

Require user authentication before allowing access to data or accepting commands to a device. While strong multi-factor authentication is preferable, it is not always feasible within ICS environments. Performing strong user authentication also requires additional security controls and processes which are often the target of related adversarial techniques (e.g., Valid Accounts, Default Credentials). Therefore, associated ATT&CK mitigations should be considered in addition to this, including Multi-factor Authentication, Account Use Policies, Password Policies, User Account Management, Privileged Account Management, and User Account Control.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
7c389472786b2adf...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle 7c389472786b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    IEC February 2013

    IEC 2013, February 20 IEC 61131-3:2013 Programmable controllers - Part 3: Programming languages Retrieved. 2019/10/22

    Open source URL
  2. [2]
    mitre-attack T0889
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use