DET0783 Detection of Modify Program

Technique Detected: T0889 (Modify Program)

Analytics

ICS

AN1915

Monitor device management protocols for functions that modify programs such as online edit and program append events. Monitor device alarms that indicate the program has changed, although not all devices produce such alarms. Engineering and asset management software will often maintain a copy of the expected program loaded on a controller and may also record any changes made to controller programs. Data from these platforms can be used to identify modified controller programs. Monitor device application logs that indicate the program has changed, although not all devices produce such logs.

Log Sources

Mutable Elements