Skip to content

T0823 Graphical User Interface

Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard.

If physical access is not an option, then access might be possible via protocols such as VNC on Linux-based and Unix-based operating systems, and RDP on Windows operating systems. An adversary can use this access to execute programs and applications on the target machine.

Item Value
ID T0823
Sub-techniques
Tactics TA0104
Platforms Human-Machine Interface
Version 1.1
Created 21 May 2020
Last Modified 09 March 2023

Procedure Examples

ID Name Description
C0009 Oldsmar Treatment Plant Intrusion During the Oldsmar Treatment Plant Intrusion, the threat actors utilized the operator HMI interface through the graphical user interface. This action led to immediate operator detection as they were able to see the adversary making changes on their screen.2
G0034 Sandworm Team In the Ukraine 2015 Incident, Sandworm Team utilized HMI GUIs in the SCADA environment to open breakers. 1

Mitigations

ID Mitigation Description
M0816 Mitigation Limited or Not Effective Once an adversary has access to a remote GUI they can abuse system features, such as required HMI functions.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0028 Logon Session Logon Session Creation
DS0011 Module Module Load
DS0009 Process Process Creation

References

  1. Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27  

  2. Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08