A0012: Jump Host
Jump hosts are devices used to support remote management sessions into ICS networks or devices. The system is used to access the ICS environment securely from external networks, such as the corporate network. The user must first remote into the jump host before they can access ICS devices. The jump host may be a customized Windows server using common remote access protocols (e.g., RDP) or a dedicated access management device. The jump host typically performs various security functions to ensure the authenticity of remote sessions, including authentication, enforcing access controls/permissions, and auditing all access attempts.
Analyst context for executives and security teams
A jump host is a controlled access point for remote management into an ICS environment. Its business value is also its risk: if authentication, authorization, session auditing, or remote access controls are weak, the jump host can become the practical gateway between corporate/external networks and operational technology. For executives and security leaders, this asset should be treated as a high-value control point for operational resilience, third-party access governance, and incident evidence.
Executive priority
Prioritize the jump host as a critical ICS access-control and audit asset. Leadership should ask whether every remote session into the ICS environment is forced through it, whether access is authenticated and permissioned, whether all attempts are audited, and whether incident responders can quickly reconstruct who accessed what. Because ATT&CK relationships show many techniques targeting this asset—including external remote services, valid accounts, command-line/GUI access, discovery, sniffing, removable media, and destructive or disruptive actions—the jump host deserves budget and control attention disproportionate to its device count.
Technical view
Validate coverage around Windows, Linux, and embedded jump host implementations. Since ATT&CK provides no official detection text for this asset, SOC and IR teams should build detections from the asset’s role: remote session ingress, authentication and authorization decisions, administrative CLI/GUI activity, network discovery from the jump host, file and script execution, removable media use, and changes that could affect auditing or availability. Relationship context makes this especially important for T0822 External Remote Services, T0859 Valid Accounts, T0807 Command-Line Interface, T0823 Graphical User Interface, T0846 Remote System Discovery and its port/broadcast/multicast discovery sub-techniques, T0842 Network Sniffing, T0849 Masquerading, T0853 Scripting, T0847 Replication Through Removable Media, and disruptive behaviors such as T0809 Data Destruction, T0814 Denial of Service, and T0816 Device Restart/Shutdown.
Likely telemetry
- Remote access logs for RDP or other approved remote management mechanisms used to reach the jump host
- Authentication, authorization, failed login, privileged access, and account/session audit records
- Session recording or administrative activity logs where available
- Process creation, command-line, scripting, service, and scheduled task evidence on Windows/Linux jump hosts
- GUI access events and remote desktop session metadata
Detection direction
- Start with an asset-centric allowlist: approved users, source networks, remote access methods, destination ICS devices, maintenance windows, and expected administrative tools.
- Tune for misuse of valid accounts rather than only malware indicators; suspicious patterns include unusual login sources, off-hours access, repeated failures followed by success, privilege changes, and sessions that do not match approved work orders.
- Monitor command-line, scripting, GUI, and native OS activity from the jump host because these are normal administration paths and also relationship-linked adversary behaviors; focus on abnormal combinations, sequence, and destination rather than single events alone.
- Detect discovery behaviors from the jump host, including network connection enumeration, port scans, broadcast discovery, multicast discovery, and sniffing-like activity, while accounting for legitimate engineering or troubleshooting activity.
- Correlate remote service entry with downstream ICS access. A session that authenticates successfully but then touches unusual systems, uses unexpected tools, or performs file transfer/destructive actions should receive higher priority.
Mitigation priorities
- Make the jump host an explicitly governed control point: require remote ICS administration to traverse approved jump host pathways and maintain an accurate inventory of Windows, Linux, or embedded implementations.
- Enforce strong authentication, role-based permissions, and least-privilege access for users and service accounts that can reach ICS devices through the jump host.
- Preserve auditability: enable and protect logs for authentication, authorization, remote sessions, administrative commands, file activity, and configuration changes.
- Restrict allowed protocols, source networks, destination systems, and administrative tooling to what is required for ICS support.
- Segment the jump host carefully between corporate/external access paths and ICS destinations, and monitor both sides of the boundary.
Analyst notes and limits
This take is based on the official ATT&CK asset description for A0012 Jump Host and the supplied relationships showing ICS techniques that target it. The strongest defensive value is not a specific detection signature but disciplined validation of identity, remote access, session auditing, administrative behavior, and network movement through a known chokepoint.
ATT&CK does not provide official detection guidance, tactics, aliases, or labels for this asset in the supplied fields. The relationship descriptions are truncated in places, so detection and mitigation guidance is intentionally conservative and must be adapted to the organization’s actual jump host architecture, remote access protocols, vendor workflows, and available telemetry.
Jump Host
Jump hosts are devices used to support remote management sessions into ICS networks or devices. The system is used to access the ICS environment securely from external networks, such as the corporate network. The user must first remote into the jump host before they can access ICS devices. The jump host may be a customized Windows server using common remote access protocols (e.g., RDP) or a dedicated access management device. The jump host typically performs various security functions to ensure the authenticity of remote sessions, including authentication, enforcing access controls/permissions, and auditing all access attempts.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0874 | Hooking | Hooking targets this object. |
| ICS | T0830 | Adversary-in-the-Middle | Adversary-in-the-Middle targets this object. |
| ICS | T0892 | Change Credential | Change Credential targets this object. |
| ICS | T0814 | Denial of Service | Denial of Service targets this object. |
| ICS | T1695 | Block Communications | Block Communications targets this object. |
| ICS | T0859 | Valid Accounts | Valid Accounts targets this object. |
| ICS | T0863 | User Execution | User Execution targets this object. |
| ICS | T0847 | Replication Through Removable Media | Replication Through Removable Media targets this object. |
| ICS | T0884 | Connection Proxy | Connection Proxy targets this object. |
| ICS | T0890 | Exploitation for Privilege Escalation | Exploitation for Privilege Escalation targets this object. |
| ICS | T0840 | Network Connection Enumeration | Network Connection Enumeration targets this object. |
| ICS | T0853 | Scripting | Scripting targets this object. |
| ICS | T0865 | Spearphishing Attachment | Spearphishing Attachment targets this object. |
| ICS | T0820 | Exploitation for Evasion | Exploitation for Evasion targets this object. |
| ICS | T0869 | Standard Application Layer Protocol | Standard Application Layer Protocol targets this object. |
| ICS | T0816 | Device Restart/Shutdown | Device Restart/Shutdown targets this object. |
| ICS | T0888 | Remote System Information Discovery | Remote System Information Discovery targets this object. |
| ICS | T0834 | Native API | Native API targets this object. |
| ICS | T1695.003 | Wi-Fi Sub-technique | Wi-Fi targets this object. |
| ICS | T1694.001 | Default Credentials Sub-technique | Default Credentials targets this object. |
| ICS | T0894 | System Binary Proxy Execution | System Binary Proxy Execution targets this object. |
| ICS | T0867 | Lateral Tool Transfer | Lateral Tool Transfer targets this object. |
| ICS | T0823 | Graphical User Interface | Graphical User Interface targets this object. |
| ICS | T0846.003 | Multicast Discovery Sub-technique | Multicast Discovery targets this object. |
| ICS | T0807 | Command-Line Interface | Command-Line Interface targets this object. |
| ICS | T0862 | Supply Chain Compromise | Supply Chain Compromise targets this object. |
| ICS | T0846.001 | Port Scan Sub-technique | Port Scan targets this object. |
| ICS | T0846.002 | Broadcast Discovery Sub-technique | Broadcast Discovery targets this object. |
| ICS | T0851 | Rootkit | Rootkit targets this object. |
| ICS | T0881 | Service Stop | Service Stop targets this object. |
| ICS | T1694 | Insecure Credentials | Insecure Credentials targets this object. |
| ICS | T0895 | Autorun Image | Autorun Image targets this object. |
| ICS | T0866 | Exploitation of Remote Services | Exploitation of Remote Services targets this object. |
| ICS | T0822 | External Remote Services | External Remote Services targets this object. |
| ICS | T1695.002 | Ethernet Sub-technique | Ethernet targets this object. |
| ICS | T0809 | Data Destruction | Data Destruction targets this object. |
| ICS | T0885 | Commonly Used Port | Commonly Used Port targets this object. |
| ICS | T0842 | Network Sniffing | Network Sniffing targets this object. |
| ICS | T0846 | Remote System Discovery | Remote System Discovery targets this object. |
| ICS | T0849 | Masquerading | Masquerading targets this object. |
| ICS | T0872 | Indicator Removal on Host | Indicator Removal on Host targets this object. |
| ICS | T0852 | Screen Capture | Screen Capture targets this object. |
| ICS | T0886 | Remote Services | Remote Services targets this object. |
| ICS | T1695.001 | Serial COM Sub-technique | Serial COM targets this object. |
| ICS | T0893 | Data from Local System | Data from Local System targets this object. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | aa3c83d6f334… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
North American Electric Reliability Corporation June 2021
North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11
Open source URL -
[2]
mitre-attack A0012Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.