Difference between revisions of "Technique/T0823"

From attackics
Jump to navigation Jump to search
m (Text replacement - "Process:" to "[https://github.com/mitre-attack/attack-datasources/blob/main/contribution-ics/process.yml Process]:")
 
(5 intermediate revisions by 2 users not shown)
Line 2: Line 2:
 
|Name=Graphical User Interface
 
|Name=Graphical User Interface
 
|Category=Execution
 
|Category=Execution
|Data Sources=File monitoring, Process monitoring, Process command-line parameters, Binary file metadata
+
|Data Sources=[https://github.com/mitre-attack/attack-datasources/blob/main/contribution-ics/network_traffic.yml Network Traffic]: Network Traffic Flow, [https://github.com/mitre-attack/attack-datasources/blob/main/contribution-ics/network_traffic.yml Network Traffic]: Network Traffic Content, [https://github.com/mitre-attack/attack-datasources/blob/main/contribution-ics/process.yml Process]: Process Creation
 
|Technical Description=Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard.
 
|Technical Description=Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard.
  
 
If physical access is not an option, then access might be possible via protocols such as VNC on Linux-based and Unix-based operating systems, and RDP on Windows operating systems. An adversary can use this access to execute programs and applications on the target machine.
 
If physical access is not an option, then access might be possible via protocols such as VNC on Linux-based and Unix-based operating systems, and RDP on Windows operating systems. An adversary can use this access to execute programs and applications on the target machine.
  
In the 2015 attack on the Ukrainian power grid, the adversary utilized the GUI of HMIs in the SCADA environment to open breakers.[[CiteRef::Ukraine15 - EISAC - 201603]]
+
In the Oldsmar water treatment attack, adversaries utilized the operator HMI interface through the graphical user interface. This action led to immediate operator detection as they were able to see the adversary making changes on their screen.[[CiteRef::Oldsmar Water - Sheriff Conf - youtube]]
 
|Assets=Human-Machine Interface
 
|Assets=Human-Machine Interface
 
|MitigationObjects={{Mitigation Object
 
|MitigationObjects={{Mitigation Object
Line 27: Line 27:
 
}}
 
}}
 
|Levels=Level 1,Level 2
 
|Levels=Level 1,Level 2
|Platform=Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1
 
 
|Analytic Details=Detection of execution through the GUI will likely lead to significant false positives. Other factors should be considered to detect misuse of services that can lead to adversaries gaining access to systems through interactive remote sessions.  
 
|Analytic Details=Detection of execution through the GUI will likely lead to significant false positives. Other factors should be considered to detect misuse of services that can lead to adversaries gaining access to systems through interactive remote sessions.  
  
 
Unknown or unusual process launches outside of normal behavior on a particular system occurring through remote interactive sessions are suspicious. Collect and audit security logs that may indicate access to and use of [[Legitimate Credentials]] to access remote systems within the network.
 
Unknown or unusual process launches outside of normal behavior on a particular system occurring through remote interactive sessions are suspicious. Collect and audit security logs that may indicate access to and use of [[Legitimate Credentials]] to access remote systems within the network.
 
}}
 
}}

Latest revision as of 17:35, 20 October 2021

Graphical User Interface
Technique
ID T0823
Tactic Execution
Data Sources Network Traffic: Network Traffic Flow, Network Traffic: Network Traffic Content, Process: Process Creation
Asset Human-Machine Interface

Description

Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard.

If physical access is not an option, then access might be possible via protocols such as VNC on Linux-based and Unix-based operating systems, and RDP on Windows operating systems. An adversary can use this access to execute programs and applications on the target machine.

In the Oldsmar water treatment attack, adversaries utilized the operator HMI interface through the graphical user interface. This action led to immediate operator detection as they were able to see the adversary making changes on their screen.1


Procedure Examples

  • In the Ukraine 2015 Incident, Sandworm Team utilized HMI GUIs in the SCADA environment to open breakers.2

Mitigations