Graphical User Interface

Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard.

If physical access is not an option, then access might be possible via protocols such as VNC on Linux-based and Unix-based operating systems, and RDP on Windows operating systems. An adversary can use this access to execute programs and applications on the target machine.

ID: T0823
Sub-techniques:  No sub-techniques
Tactic: Execution
Platforms: None
Version: 1.1
Created: 21 May 2020
Last Modified: 13 October 2023

Procedure Examples

ID Name Description
C0028 2015 Ukraine Electric Power Attack

During the 2015 Ukraine Electric Power Attack, Sandworm Team utilized HMI GUIs in the SCADA environment to open breakers. [1]

Targeted Assets

ID Asset
A0008 Application Server
A0007 Control Server
A0009 Data Gateway
A0006 Data Historian
A0002 Human-Machine Interface (HMI)
A0012 Jump Host
A0001 Workstation

Mitigations

ID Mitigation Description
M0816 Mitigation Limited or Not Effective

Once an adversary has access to a remote GUI they can abuse system features, such as required HMI functions.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments related to services specifically designed to accept remote graphical connections, such as RDP and VNC. Remote Services and Valid Accounts may be used to access a host’s GUI.

DS0028 Logon Session Logon Session Creation

Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Remote Services may be used to access a host’s GUI.

DS0011 Module Module Load

Monitor DLL file events, specifically creation of these binary files as well as the loading of DLLs into processes associated with remote graphical connections, such as RDP and VNC. Remote Services may be used to access a host’s GUI.

DS0009 Process Process Creation

Monitor for newly executed processes related to services specifically designed to accept remote graphical connections, such as RDP and VNC. Remote Services and Valid Accounts may be used to access a host’s GUI.

References