A0001: Workstation
Workstations are devices used by human operators or engineers to perform various configuration, programming, maintenance, diagnostic, or operational tasks. Workstations typically utilize standard desktop or laptop hardware and operating systems (e.g., MS Windows), but run dedicated control system applications or diagnostic/management software to support interfacing with the control servers or field devices. Some workstations have a fixed location within the network architecture, while others are transient devices that are directly connected to various field devices to support local management activities.
Analyst context for executives and security teams
An ICS workstation is often the human bridge into control operations: engineers and operators use it for configuration, programming, diagnostics, maintenance, and operational tasks. Because these systems may be fixed in the OT network or temporarily connected to field devices, compromise can create risk beyond normal endpoint loss, including loss of visibility, unauthorized changes, disrupted maintenance, or a path toward devices that affect physical processes.
Executive priority
Treat ICS workstations as high-value operational access points, not ordinary desktops. Leaders should ask whether these Windows and Linux systems are inventoried, segmented, monitored, governed for removable media and remote access, and included in incident response and recovery plans. The relationship context shows they are targeted by techniques involving valid accounts, command line and GUI interaction, discovery, sniffing, supply chain and removable media exposure, exploitation of public-facing applications, and destructive or disruptive actions such as data destruction and restart/shutdown. That makes them important for business continuity, audit evidence, OT access governance, and cyber-physical risk management.
Technical view
SOC, OT security, and IR teams should validate endpoint and network visibility around both fixed and transient workstations. ATT&CK provides no official detection text for this asset, so coverage should be built from the related techniques: command-line and scripting activity, GUI/remote interaction, account use, network enumeration, port/broadcast/multicast discovery, packet capture behavior, removable media use, suspicious file masquerading, screen capture, rootkit-like hiding behavior, public-facing service exposure, wireless access paths, and abnormal restart/shutdown or data destruction events. Because these systems may run dedicated control-system and vendor tools, detections need local baselines to distinguish approved engineering activity from suspicious use.
Likely telemetry
- Asset inventory identifying ICS workstations, operating system, ownership, location, and whether fixed or transient
- Endpoint process creation, command-line, scripting, service, driver, file creation/deletion, and restart/shutdown events
- Authentication and authorization logs for operator, engineer, service, local, remote, and default/legacy accounts
- Remote access and GUI session logs where applicable, including administrative access to workstation interfaces
- Network flow, DNS, connection, and protocol telemetry for workstation-to-server, workstation-to-field-device, and peer communications
Detection direction
- Start with authoritative baselines: which users, tools, scripts, protocols, and destinations are normal for each engineering or operator workstation.
- Correlate identity events with endpoint and network activity; valid account use may look legitimate unless paired with unusual timing, source, privilege, destination, or tool behavior.
- Tune command-line, scripting, GUI, and native API monitoring to account for approved maintenance workflows while flagging rare interpreters, unexpected administrative utilities, masqueraded files, and non-native tools.
- Monitor discovery behavior from workstations, including netstat-like enumeration, port scans, broadcast discovery, multicast discovery, and unusual connections to field devices or control servers.
- Pay special attention to transient workstations and removable media, because the asset description explicitly includes devices directly connected to field devices for local management.
Mitigation priorities
- Maintain a current ICS workstation inventory, including fixed and transient devices, installed control-system applications, network zones, and authorized users.
- Limit workstation privileges and use governed accounts for operator, engineering, service, and remote access functions; review default or shared credential exposure where applicable.
- Segment workstation communications to required control servers, field devices, and management services; restrict unnecessary internet-facing, wireless, and peer-to-peer exposure.
- Control removable media use with policy, technical restrictions, scanning, and logging appropriate for OT operational constraints.
- Harden Windows and Linux workstation configurations, including unnecessary service reduction, patch and vulnerability prioritization for exposed applications, and protection of security controls from tampering.
Analyst notes and limits
This is an ATT&CK for ICS asset object, not a technique. Its value is in showing where many ICS behaviors converge: human-operated systems that interface with control servers and field devices. The supplied relationships indicate a broad set of techniques that can target workstations, including access, execution, discovery, evasion, collection, and disruption-oriented behaviors. Defensive planning should therefore use the asset as a coverage anchor for identity, endpoint, network, removable media, exposure, and recovery controls.
MITRE did not provide official detection guidance or tactics for this asset object. The related technique descriptions are summarized relationship context, not proof of activity in any specific environment. Local architecture, approved engineering workflows, vendor tooling, safety requirements, and available telemetry are required to determine actual risk, detection fidelity, and mitigation sequencing.
Workstation
Workstations are devices used by human operators or engineers to perform various configuration, programming, maintenance, diagnostic, or operational tasks. Workstations typically utilize standard desktop or laptop hardware and operating systems (e.g., MS Windows), but run dedicated control system applications or diagnostic/management software to support interfacing with the control servers or field devices. Some workstations have a fixed location within the network architecture, while others are transient devices that are directly connected to various field devices to support local management activities.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0816 | Device Restart/Shutdown | Device Restart/Shutdown targets this object. |
| ICS | T1695.001 | Serial COM Sub-technique | Serial COM targets this object. |
| ICS | T0842 | Network Sniffing | Network Sniffing targets this object. |
| ICS | T0865 | Spearphishing Attachment | Spearphishing Attachment targets this object. |
| ICS | T0864 | Transient Cyber Asset | Transient Cyber Asset targets this object. |
| ICS | T0840 | Network Connection Enumeration | Network Connection Enumeration targets this object. |
| ICS | T0820 | Exploitation for Evasion | Exploitation for Evasion targets this object. |
| ICS | T0873.001 | Siemens Project File Format Sub-technique | Siemens Project File Format targets this object. |
| ICS | T0873 | Project File Infection | Project File Infection targets this object. |
| ICS | T0846 | Remote System Discovery | Remote System Discovery targets this object. |
| ICS | T0849 | Masquerading | Masquerading targets this object. |
| ICS | T0847 | Replication Through Removable Media | Replication Through Removable Media targets this object. |
| ICS | T0860 | Wireless Compromise | Wireless Compromise targets this object. |
| ICS | T0846.001 | Port Scan Sub-technique | Port Scan targets this object. |
| ICS | T0874 | Hooking | Hooking targets this object. |
| ICS | T0807 | Command-Line Interface | Command-Line Interface targets this object. |
| ICS | T1695 | Block Communications | Block Communications targets this object. |
| ICS | T0881 | Service Stop | Service Stop targets this object. |
| ICS | T0846.003 | Multicast Discovery Sub-technique | Multicast Discovery targets this object. |
| ICS | T0895 | Autorun Image | Autorun Image targets this object. |
| ICS | T0823 | Graphical User Interface | Graphical User Interface targets this object. |
| ICS | T0863 | User Execution | User Execution targets this object. |
| ICS | T0869 | Standard Application Layer Protocol | Standard Application Layer Protocol targets this object. |
| ICS | T1695.003 | Wi-Fi Sub-technique | Wi-Fi targets this object. |
| ICS | T0894 | System Binary Proxy Execution | System Binary Proxy Execution targets this object. |
| ICS | T0872 | Indicator Removal on Host | Indicator Removal on Host targets this object. |
| ICS | T0809 | Data Destruction | Data Destruction targets this object. |
| ICS | T0819 | Exploit Public-Facing Application | Exploit Public-Facing Application targets this object. |
| ICS | T0853 | Scripting | Scripting targets this object. |
| ICS | T0830 | Adversary-in-the-Middle | Adversary-in-the-Middle targets this object. |
| ICS | T0884 | Connection Proxy | Connection Proxy targets this object. |
| ICS | T1695.002 | Ethernet Sub-technique | Ethernet targets this object. |
| ICS | T0888 | Remote System Information Discovery | Remote System Information Discovery targets this object. |
| ICS | T0885 | Commonly Used Port | Commonly Used Port targets this object. |
| ICS | T0887 | Wireless Sniffing | Wireless Sniffing targets this object. |
| ICS | T0834 | Native API | Native API targets this object. |
| ICS | T0851 | Rootkit | Rootkit targets this object. |
| ICS | T0859 | Valid Accounts | Valid Accounts targets this object. |
| ICS | T0892 | Change Credential | Change Credential targets this object. |
| ICS | T0817 | Drive-by Compromise | Drive-by Compromise targets this object. |
| ICS | T0890 | Exploitation for Privilege Escalation | Exploitation for Privilege Escalation targets this object. |
| ICS | T0867 | Lateral Tool Transfer | Lateral Tool Transfer targets this object. |
| ICS | T0862 | Supply Chain Compromise | Supply Chain Compromise targets this object. |
| ICS | T1694.001 | Default Credentials Sub-technique | Default Credentials targets this object. |
| ICS | T0893 | Data from Local System | Data from Local System targets this object. |
| ICS | T0871 | Execution through API | Execution through API targets this object. |
| ICS | T0846.002 | Broadcast Discovery Sub-technique | Broadcast Discovery targets this object. |
| ICS | T0883 | Internet Accessible Device | Internet Accessible Device targets this object. |
| ICS | T1694 | Insecure Credentials | Insecure Credentials targets this object. |
| ICS | T0866 | Exploitation of Remote Services | Exploitation of Remote Services targets this object. |
| ICS | T0852 | Screen Capture | Screen Capture targets this object. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | 2a253f0ca3cc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
North American Electric Reliability Corporation June 2021
North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11
Open source URL -
[2]
mitre-attack A0001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.