Graphical User Interface

From enterprise
Jump to: navigation, search
Graphical User Interface
ID T1061
Tactic Execution
Platform Linux, macOS, Windows
Permissions Required User, Administrator, SYSTEM
Data Sources File monitoring, Binary file metadata, Process command-line parameters, Process monitoring
Supports Remote Yes

Cause a binary or script to execute based on interacting with the file through a graphical user interface (GUI) or in an interactive remote session such as Remote Desktop Protocol.


Prevent adversaries from gaining access to credentials through Credential Access that can be used to log into remote desktop sessions on systems.

Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to log into remote interactive sessions, and audit and/or block them by using whitelisting1 tools, like AppLocker23 and Software Restriction Policies4 where appropriate.5


Detection of execution through the GUI will likely lead to significant false positives. Other factors should be considered to detect misuse of services that can lead to adversaries gaining access to systems through interactive remote sessions.

Unknown or unusual process launches outside of normal behavior on a particular system occurring through remote interactive sessions are suspicious. Collect and audit security logs that may indicate access to and use of Legitimate Credentials to access remote systems within the network.