In Operational Technology (OT) environments, the boundary between legitimate patch management and malicious behavior is increasingly blurred. This week, Security Arsenal is tracking a significant advisory from Siemens regarding their Desigo CC building management system. Recent patch updates for Desigo CC include a PowerShell script that is currently being flagged as malicious by multiple security engines.
For SOC analysts managing converged IT/OT infrastructures, this presents a dual challenge: the risk of operational disruption if critical patching components are quarantined, and the risk of complacency if security teams blindly whitelist alerts without verification. This post provides the technical depth required to accurately detect, triage, and remediate these false positives without compromising your defensive posture.
Technical Analysis
Affected Product:
- Siemens Desigo CC: A comprehensive building management platform integrating HVAC, lighting, and energy management.
Nature of the Alert:
- Trigger Component: A PowerShell script embedded within the patch installation files.
- Detection Mechanism: Heuristic and behavior-based analysis engines within Endpoint Detection and Response (EDR) and Antivirus (AV) solutions are likely flagging the script based on obfuscation techniques, administrative privilege requests, or script structure that overlaps with common Living-off-the-Land (LotL) or malware dropper patterns.
Operational Impact:
- Availability: If the EDR quarantines the PowerShell script during the patch deployment, the installation may fail, leaving the system in an inconsistent state or vulnerable to the very issues the patch intended to fix.
- Alert Fatigue: A surge of critical alerts from OT segments can desensitize SOC analysts to genuine threats targeting industrial control systems (ICS).
Exploitation Status:
- Current Status: False Positive / Vendor Confirmed.
- Risk: There is no active exploitation campaign associated with this specific script signature; it is a legitimate component of the vendor's update mechanism. However, defenders must authenticate the file hash before proceeding to ensure they are not dealing with a supply-chain interception.
Detection & Response
To address this, we need detection logic that identifies the conflict between the security engine and the legitimate application. The following rules identify when security tools are blocking PowerShell execution within the context of Siemens patch directories.
Sigma Rules
---
title: Potential Blocking of Siemens Desigo CC Patch Script
id: 8f4a2c91-1b5d-4d3e-9a8f-7c6d5e4a3b2c
status: experimental
description: Detects security engine alerts or blocks on PowerShell scripts located in Siemens or Desigo patch directories, indicative of a potential false positive on the update component.
references:
- https://www.siemens.com
author: Security Arsenal
date: 2026/05/12
tags:
- attack.defense_evasion
- attack.t1562.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 1116
ThreatName|contains:
- 'PowerShell'
- 'Script'
- 'Trojan'
filter_paths:
Path|contains:
- 'Siemens'
- 'Desigo'
- 'ProgramData\\Siemens'
condition: selection and filter_paths
falsepositives:
- Legitimate Siemens Desigo CC patching triggering heuristics
level: high
---
title: Suspicious PowerShell Execution from Siemens Installer Context
id: 9e5b3d02-2c6e-5f4f-0b9g-8d7e6f5a4c3d
status: experimental
description: Detects PowerShell execution spawned by a Siemens installer process that may be triggering heuristic detections due to update script behavior.
references:
- https://attack.mitre.org/techniques/T1059/001
author: Security Arsenal
date: 2026/05/12
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains:
- 'setup.exe'
- 'update.exe'
ParentImage|contains:
- 'Siemens'
- 'Desigo'
selection_child:
Image|endswith:
- '\\powershell.exe'
- '\\pwsh.exe'
CommandLine|contains:
- 'ExecutionPolicy'
- 'EncodedCommand'
condition: selection_parent and selection_child
falsepositives:
- Legitimate Desigo CC installation or update process
level: medium
KQL (Microsoft Sentinel / Defender)
This query hunts for malware detection events specifically targeting files in Siemens paths, allowing analysts to quickly identify if the false positive is active in their environment.
SecurityEvent
| where EventID == 1116
| extend ThreatName = tostring(parse_xml(EventData).Data[4]."#text")
| extend FileName = tostring(parse_xml(EventData).Data[3]."#text")
| where ThreatName contains "PowerShell" or ThreatName contains "Script"
| where FileName contains "Siemens" or FileName contains "Desigo"
| project TimeGenerated, Computer, Account, ThreatName, FileName, RenderedDescription
| sort by TimeGenerated desc
Velociraptor VQL
Use this artifact to hunt for the presence of the specific patch files on endpoints and calculate their hashes for verification against the vendor's advisory.
-- Hunt for Siemens Desigo CC patch files and verify hashes
SELECT FullPath, Size, Mtime, Sys.read_file(path=FullPath, length=1024) AS Data
FROM glob(globs="C:/ProgramData/Siemens/**/*.ps1")
WHERE FullPath =~ "Desigo"
-- Note: In a real scenario, upload the hash and compare against advisory
Remediation Script (PowerShell)
WARNING: Do not run this script blindly. You must replace the $ExpectedHash variable with the SHA256 hash provided in the official Siemens ProductCERT advisory. This script verifies the file integrity before suggesting an exclusion.
# Verify Siemens Desigo CC Patch File Integrity
# Replace with the actual SHA256 hash from the Siemens advisory
$ExpectedHash = "REPLACE_WITH_OFFICIAL_SIEMENS_SHA256"
$PatchPath = "C:\Path\To\DesigoPatch\File.ps1"
if (-not (Test-Path $PatchPath)) {
Write-Error "Patch file not found at $PatchPath"
exit 1
}
$FileHash = (Get-FileHash -Path $PatchPath -Algorithm SHA256).Hash
if ($FileHash -eq $ExpectedHash) {
Write-Host "[+] Verification Successful: File matches official Siemens hash." -ForegroundColor Green
Write-Host "[+] Action: Review EDR console and create file/path exclusion for $PatchPath if required for patch completion." -ForegroundColor Cyan
} else {
Write-Error "[-] Verification Failed: Hash mismatch. Potential tampering or wrong file version."
Write-Error "Expected: $ExpectedHash"
Write-Error "Actual: $FileHash"
# Investigate immediately
}
Remediation
To mitigate the operational impact while maintaining security, execute the following steps:
- Verify Integrity: Do not rely on the file name alone. Calculate the SHA256 hash of the flagged PowerShell script and compare it against the hashes published in the official Siemens advisory (usually found on the Siemens Security Advisories portal).
- Temporary Exclusion: Only after positive hash verification, configure a temporary exclusion in your AV/EDR solution for the specific script path or hash to allow the patch installation to proceed.
- Patch Application: Complete the installation of the Desigo CC patch.
- Remove Exclusion: Once the patch is successfully applied and the system is stable, remove the temporary exclusion to restore full monitoring coverage.
- Tune Rules: Update your SOC detection rules (similar to the Sigma rules above) to specifically suppress alerts for this known hash/version, ensuring future alerts are actionable.
For official guidance and hash verification, refer to the Siemens Security Advisories.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.