DET0772: Detection of Graphical User Interface
DET0772 is a detection strategy for identifying adversary use of a Graphical User Interface in an ICS context. The business issue is not the GUI itself; it...
Analyst context for executives and security teams
DET0772 is a detection strategy for identifying adversary use of a Graphical User Interface in an ICS context. The business issue is not the GUI itself; it is whether an operator, engineer, administrator, or remote user session is expected, authorized, and explainable. GUI access can give an intruder more practical control over a system than command-line activity alone, so visibility into interactive access is important for incident triage and operational resilience.
Executive priority
Treat this as a control-validation question: do security and operations teams know which ICS-related machines should allow interactive GUI access, who is allowed to use it, and how that access is evidenced during an investigation? Because MITRE provides no platform-specific detection details for DET0772, leadership should prioritize asset inventory, access governance, and logging coverage before assuming the SOC can detect this behavior reliably.
Technical view
This detection strategy maps to ATT&CK for ICS technique T0823, Graphical User Interface. SOC and IR teams should validate visibility into interactive sessions, especially where GUI access to ICS assets is possible through local physical access or remote GUI protocols such as VNC as referenced in the related technique description. Detection should focus on distinguishing normal operator/admin activity from unexpected source systems, accounts, timing, or assets. Because no official detection logic, platforms, or tactics are supplied, local baselining is required.
Likely telemetry
- Authentication and authorization logs for interactive user access
- Remote GUI session logs where such access is deployed, including VNC where applicable
- Endpoint session evidence showing local or remote interactive logons
- Network telemetry showing connections to approved or unexpected GUI access services
- Asset inventory identifying systems where GUI access is expected or prohibited
Detection direction
- Confirm which ICS-related assets permit GUI access and whether that access is logged centrally.
- Baseline expected users, source locations, maintenance windows, and remote access paths for GUI sessions.
- Alert on GUI access to systems that should not normally receive interactive sessions, or from unusual accounts, sources, or times.
- Account for false positives from legitimate operator activity, engineering maintenance, vendor support, and incident response work.
- Use relationship context with T0823 only; do not infer platform-specific coverage because the ATT&CK object does not specify platforms or official detection analytics.
Mitigation priorities
- Define and document where GUI access is operationally required versus prohibited.
- Restrict GUI access to authorized accounts and approved access paths based on local ICS architecture.
- Ensure remote GUI access mechanisms are governed, monitored, and reviewable during incidents.
- Align physical access controls with cyber monitoring where local console GUI use is possible.
- Prioritize logging and retention for interactive access evidence so SOC, IR, and compliance teams can reconstruct activity.
Analyst notes and limits
The strongest use of this ATT&CK object is as a coverage checklist item for interactive access in ICS environments. It should drive conversations between operations, IAM, SOC, and incident response teams about who can use GUI access, from where, and how quickly that activity can be validated.
The supplied ATT&CK detection strategy has no official description, no official detection text, no platforms, and no tactics. The only behavioral context is its relationship to T0823 Graphical User Interface. Any concrete detection logic, thresholds, or technology assumptions must come from the local environment, not this object alone.
Detection of Graphical User Interface
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0823 | Graphical User Interface | This object detects Graphical User Interface. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3cad58bb94f4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0772Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.