A0008: Application Server
Application servers are used across many different sectors to host various diverse software applications necessary to supporting the ICS. Example functions can include data analytics and reporting, alarm management, and the management/coordination of different control servers. The application server typically runs on a modern server operating system (e.g., MS Windows Server).
Analyst context for executives and security teams
An ICS application server is often where reporting, alarm management, analytics, and coordination between control servers are hosted. Because it commonly runs on modern Windows or Linux server operating systems and supports operational visibility, compromise or disruption can affect how operators understand and manage the industrial process even if field devices are not directly touched.
Executive priority
Treat ICS application servers as high-value operational assets, not ordinary back-office servers. The ATT&CK relationship context shows they can be targeted through public-facing applications, external remote services, valid accounts, command-line or GUI access, removable media, supply chain paths, remote-service exploitation, lateral tool transfer, network discovery, sniffing, masquerading, rootkits, scripting, and destructive or restart/shutdown activity. Leaders should ask whether these servers are inventoried, segmented, patched based on exposure and criticality, covered by identity controls, and represented in incident response and compliance evidence for OT resilience.
Technical view
For SOC, IR, and detection engineering teams, validate visibility on Windows and Linux application servers that support ICS functions. Because MITRE provides no asset-specific detection text, coverage should be built from the related techniques: remote access and authentication activity, command-line and scripting execution, GUI sessions, file creation and transfer, service exposure, public-facing application logs, network enumeration, packet capture or sniffing indicators, unexpected restarts/shutdowns, destructive file activity, and signs of masquerading or rootkit-like hiding. Baseline normal operator, engineer, vendor, and service-account behavior before alerting on deviations, since many administrative actions may be legitimate in OT maintenance windows.
Likely telemetry
- Asset inventory identifying ICS application servers, operating system, hosted applications, and business/operational function
- Windows and Linux authentication logs, including local, domain, service, vendor, and remote-access accounts
- Command-line, shell, and scripting execution telemetry where safely collectable
- Remote access logs for VPN, remote services, GUI access, and administrative sessions
- Application, web, and service logs for any exposed or remotely reachable software
Detection direction
- Start with an authoritative baseline of which application servers exist, what ICS functions they support, who administers them, and which remote paths are expected.
- Tune detections around deviations from approved administration: unusual CLI or script use, unexpected GUI sessions, new tools, non-native files, masqueraded names, lateral file copies, or activity outside maintenance windows.
- Correlate identity and remote access events with host execution and network activity, especially for valid-account use and external remote services.
- Monitor public-facing or remotely reachable applications for exploitation indicators, but avoid assuming exposure unless local inventory confirms it.
- Look for discovery behaviors such as port scans, broadcast or multicast discovery, network connection enumeration, and sniffing on or near these servers.
Mitigation priorities
- Inventory and classify ICS application servers by operational function and criticality.
- Reduce exposure of public-facing applications and external remote services; require approved access paths and strong authentication where applicable.
- Apply vulnerability and patch prioritization based on server criticality, exposure, and hosted ICS applications, using OT change-control constraints.
- Restrict administrative access, service accounts, removable media use, and lateral file-sharing paths to documented operational need.
- Segment application servers from unnecessary enterprise, internet, and peer-to-peer access while preserving required ICS communications.
Analyst notes and limits
This take is based on MITRE ATT&CK for ICS asset A0008 and the supplied relationships where multiple ICS techniques target the Application Server asset. The most useful local analysis is to map each related technique to actual services, accounts, applications, and network paths present in the environment.
MITRE does not provide official detection guidance, tactics, aliases, or labels for this asset in the supplied fields. The related technique descriptions are general and do not prove that any specific application server is internet-facing, vulnerable, compromised, or monitored. Local architecture, logging, change-control, and operational safety requirements must determine final detection and mitigation choices.
Application Server
Application servers are used across many different sectors to host various diverse software applications necessary to supporting the ICS. Example functions can include data analytics and reporting, alarm management, and the management/coordination of different control servers. The application server typically runs on a modern server operating system (e.g., MS Windows Server).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0872 | Indicator Removal on Host | Indicator Removal on Host targets this object. |
| ICS | T0867 | Lateral Tool Transfer | Lateral Tool Transfer targets this object. |
| ICS | T0819 | Exploit Public-Facing Application | Exploit Public-Facing Application targets this object. |
| ICS | T1695.002 | Ethernet Sub-technique | Ethernet targets this object. |
| ICS | T0807 | Command-Line Interface | Command-Line Interface targets this object. |
| ICS | T0851 | Rootkit | Rootkit targets this object. |
| ICS | T0859 | Valid Accounts | Valid Accounts targets this object. |
| ICS | T0846.003 | Multicast Discovery Sub-technique | Multicast Discovery targets this object. |
| ICS | T0892 | Change Credential | Change Credential targets this object. |
| ICS | T0881 | Service Stop | Service Stop targets this object. |
| ICS | T0822 | External Remote Services | External Remote Services targets this object. |
| ICS | T0842 | Network Sniffing | Network Sniffing targets this object. |
| ICS | T0809 | Data Destruction | Data Destruction targets this object. |
| ICS | T1694.001 | Default Credentials Sub-technique | Default Credentials targets this object. |
| ICS | T0846.001 | Port Scan Sub-technique | Port Scan targets this object. |
| ICS | T0895 | Autorun Image | Autorun Image targets this object. |
| ICS | T0886 | Remote Services | Remote Services targets this object. |
| ICS | T0830 | Adversary-in-the-Middle | Adversary-in-the-Middle targets this object. |
| ICS | T0834 | Native API | Native API targets this object. |
| ICS | T0894 | System Binary Proxy Execution | System Binary Proxy Execution targets this object. |
| ICS | T0874 | Hooking | Hooking targets this object. |
| ICS | T0888 | Remote System Information Discovery | Remote System Information Discovery targets this object. |
| ICS | T0869 | Standard Application Layer Protocol | Standard Application Layer Protocol targets this object. |
| ICS | T0853 | Scripting | Scripting targets this object. |
| ICS | T0849 | Masquerading | Masquerading targets this object. |
| ICS | T0846 | Remote System Discovery | Remote System Discovery targets this object. |
| ICS | T0890 | Exploitation for Privilege Escalation | Exploitation for Privilege Escalation targets this object. |
| ICS | T1695 | Block Communications | Block Communications targets this object. |
| ICS | T0862 | Supply Chain Compromise | Supply Chain Compromise targets this object. |
| ICS | T0883 | Internet Accessible Device | Internet Accessible Device targets this object. |
| ICS | T0884 | Connection Proxy | Connection Proxy targets this object. |
| ICS | T0847 | Replication Through Removable Media | Replication Through Removable Media targets this object. |
| ICS | T0866 | Exploitation of Remote Services | Exploitation of Remote Services targets this object. |
| ICS | T0893 | Data from Local System | Data from Local System targets this object. |
| ICS | T0823 | Graphical User Interface | Graphical User Interface targets this object. |
| ICS | T1695.003 | Wi-Fi Sub-technique | Wi-Fi targets this object. |
| ICS | T0840 | Network Connection Enumeration | Network Connection Enumeration targets this object. |
| ICS | T0820 | Exploitation for Evasion | Exploitation for Evasion targets this object. |
| ICS | T0816 | Device Restart/Shutdown | Device Restart/Shutdown targets this object. |
| ICS | T1694 | Insecure Credentials | Insecure Credentials targets this object. |
| ICS | T0846.002 | Broadcast Discovery Sub-technique | Broadcast Discovery targets this object. |
| ICS | T0885 | Commonly Used Port | Commonly Used Port targets this object. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | 7a9d3f38c141… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack A0008Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.