Difference between revisions of "Technique/T0823"

From attackics
Jump to navigation Jump to search
Line 11: Line 11:
 
|MitigationObjects={{Mitigation Object
 
|MitigationObjects={{Mitigation Object
 
|Mitigation=Mitigation/M0816
 
|Mitigation=Mitigation/M0816
|Description=Once an adversary has access to a remote GUI they can abuse system features, such has required HMI functions.
+
|Description=Once an adversary has access to a remote GUI they can abuse system features, such as required HMI functions.
 
}}
 
}}
 
|Mitigation=*Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Physical control room or control systems access often implies also gaining logical access.[[CiteRef::Guidance - NIST SP800-82]]
 
|Mitigation=*Restrict access to control room(s), portable devices, and removable media, which should be locked down and physically secured. Physical control room or control systems access often implies also gaining logical access.[[CiteRef::Guidance - NIST SP800-82]]

Revision as of 11:47, 25 September 2020

Graphical User Interface
Technique
ID T0823
Tactic Execution
Data Sources File monitoring, Process monitoring, Process command-line parameters, Binary file metadata
Asset Human-Machine Interface

Description

Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard.

If physical access is not an option, then access might be possible via protocols such as VNC on Linux-based and Unix-based operating systems, and RDP on Windows operating systems. An adversary can use this access to execute programs and applications on the target machine.

In the 2015 attack on the Ukrainian power grid, the adversary utilized the GUI of HMIs in the SCADA environment to open breakers.1


Procedure Examples

  • In the Ukraine 2015 Incident, Sandworm Team utilized HMI GUIs in the SCADA environment to open breakers.1

Mitigations