Skip to content

DET0752 Detection of Program Download

Item Value
ID DET0752
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T0843 (Program Download)

Analytics

ICS

AN1884

Monitor device alarms for program downloads, although not all devices produce such alarms. Monitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols. Consult asset management systems to understand expected program versions. Monitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.

Log Sources
Data Component Name Channel
Device Alarm (DC0108) Operational Databases None
Network Traffic Content (DC0085) Network Traffic None
Asset Inventory (DC0110) Asset None
Application Log Content (DC0038) Application Log None
Mutable Elements
Field Description