AN1904: Analytic 1904
Monitor for newly executed processes related to services specifically designed to accept remote graphical connections, such as RDP and VNC. Remote Services and Valid Accounts may be used to access a host’s GUI. Monitor executed commands and arguments related to services specifically designed to accept remote graphical connections, such as RDP and VNC. Remote Services and Valid Accounts may be used to access a host’s GUI. Monitor DLL file events, specifically creation of these binary files as well as the loading of DLLs into processes associated with remote graphical connections, such as RDP and VNC. Remote Services may be used to access a host’s GUI. Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Remote Services may be used to access a host’s GUI.
Analyst context for executives and security teams
This analytic is about proving whether remote graphical access to ICS-related hosts is visible and explainable. Remote GUI services such as RDP or VNC can be legitimate for administration, but they also create a high-value path for hands-on access when paired with valid accounts. For leaders, the practical question is not simply “do we allow RDP/VNC?” but “can we distinguish approved remote administration from unusual access before it affects operations?”
Executive priority
Prioritize this as an operational resilience and incident-readiness control check for environments where remote GUI access is used. The business value is in validating accountability for privileged or administrative access, supporting audit evidence around remote access governance, and giving incident responders enough evidence to assess suspicious logons quickly. Because no platform or tactic is specified in the supplied object, scope should be driven by local asset criticality and where remote graphical services are actually enabled.
Technical view
SOC and IR teams should validate collection and correlation across four evidence areas described by the analytic: newly executed processes associated with remote graphical connection services such as RDP and VNC; executed commands and arguments for those services; DLL creation and DLL load events involving processes tied to remote graphical connections; and login activity showing users accessing systems they do not normally use or accessing multiple systems in a short time. The supplied ATT&CK description links this behavior to Remote Services T0886 and Valid Accounts T0859, so detections should correlate remote-service logins with identity context and follow-on suspicious behavior rather than alerting on remote access alone.
Likely telemetry
- Process execution events for remote graphical service components such as RDP or VNC-related processes
- Command-line and argument logging for executed remote-access services or tools
- DLL file creation events
- DLL load events into processes associated with remote graphical connections
- User logon and session activity related to remote services
Detection direction
- Baseline approved remote GUI access by user, host, time window, and administrative purpose before tuning alerts.
- Correlate remote service logins with unusual process execution, command arguments, or DLL activity to reduce false positives from routine administration.
- Look for users logging into systems they do not normally access or accessing multiple systems over a short period of time.
- Validate whether telemetry covers both authentication/session events and endpoint execution/file-load evidence; either source alone may leave gaps.
- Treat RDP/VNC activity as context-sensitive: legitimate remote support can look similar unless enriched with asset criticality, user role, and change/maintenance context.
Mitigation priorities
- Inventory where remote graphical services are enabled and confirm there is an approved operational need.
- Restrict remote GUI access to authorized accounts and expected administrative paths using existing identity and access controls.
- Review account privileges and remote-access entitlements, especially for systems that support critical operations.
- Ensure logging is enabled for process execution, command arguments, DLL activity, and remote logons where technically feasible.
- Document approved remote administration patterns so SOC, IR, and audit teams can distinguish expected access from exceptions.
Analyst notes and limits
This is an ICS ATT&CK detection analytic, external ID AN1904, focused on monitoring remote graphical access behavior. The object does not provide a separate official detection block, platforms, tactics, labels, aliases, or relationships. The description itself references Remote Services T0886 and Valid Accounts T0859, which supports identity-aware correlation but not any claim about a specific adversary, campaign, or active exploitation.
Coverage and priority depend on local architecture, whether RDP/VNC or similar remote graphical services are used, and the availability of endpoint, authentication, and file/DLL telemetry. No ATT&CK platform is supplied, so platform-specific data sources, event IDs, or vendor detections should be determined locally.
Analytic 1904
Monitor for newly executed processes related to services specifically designed to accept remote graphical connections, such as RDP and VNC. Remote Services and Valid Accounts may be used to access a host’s GUI. Monitor executed commands and arguments related to services specifically designed to accept remote graphical connections, such as RDP and VNC. Remote Services and Valid Accounts may be used to access a host’s GUI. Monitor DLL file events, specifically creation of these binary files as well as the loading of DLLs into processes associated with remote graphical connections, such as RDP and VNC. Remote Services may be used to access a host’s GUI. Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Remote Services may be used to access a host’s GUI.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e8c1245ecafa… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1904Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.