Program Download

From attackics
Jump to navigation Jump to search
Program Download
ID T843
Tactic Persistence, Inhibit Response Function, Impair Process Control
Data Sources Sequential event recorder, Controller program, Network protocol analysis, Packet capture
External Contributors Joe Slowik - Dragos
Asset Field Controller/RTU/PLC/IED, Safety Instrumented System/Protection Relay


Adversaries may perform a program download to load malicious or unintended program logic on a device as a method of persistence or to disrupt response functions or process control. Program download onto devices, such as PLCs, allows adversaries to implement custom logic. Malicious PLC programs may be used to disrupt physical processes or enable adversary persistence. The act of a program download will cause the PLC to enter a STOP operation state, which may prevent response functions from operating correctly.

Procedure Examples

  • Stuxnet infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior.1
  • Triton leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System.2