Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard.
If physical access is not an option, then access might be possible via protocols such as VNC on Linux-based and Unix-based operating systems, and RDP on Windows operating systems. An adversary can use this access to execute programs and applications on the target machine.
| ID | Name | Description |
|---|---|---|
| C0028 | 2015 Ukraine Electric Power Attack |
During the 2015 Ukraine Electric Power Attack, Sandworm Team utilized HMI GUIs in the SCADA environment to open breakers. [1] |
| ID | Asset |
|---|---|
| A0008 | Application Server |
| A0007 | Control Server |
| A0009 | Data Gateway |
| A0006 | Data Historian |
| A0002 | Human-Machine Interface (HMI) |
| A0012 | Jump Host |
| A0001 | Workstation |
| ID | Mitigation | Description |
|---|---|---|
| M0816 | Mitigation Limited or Not Effective |
Once an adversary has access to a remote GUI they can abuse system features, such as required HMI functions. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0017 | Command | Command Execution |
Monitor executed commands and arguments related to services specifically designed to accept remote graphical connections, such as RDP and VNC. Remote Services and Valid Accounts may be used to access a host’s GUI. |
| DS0028 | Logon Session | Logon Session Creation |
Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Remote Services may be used to access a host’s GUI. |
| DS0011 | Module | Module Load |
Monitor DLL file events, specifically creation of these binary files as well as the loading of DLLs into processes associated with remote graphical connections, such as RDP and VNC. Remote Services may be used to access a host’s GUI. |
| DS0009 | Process | Process Creation |
Monitor for newly executed processes related to services specifically designed to accept remote graphical connections, such as RDP and VNC. Remote Services and Valid Accounts may be used to access a host’s GUI. |