Live Active security incident? Get immediate response
MITRE ATT&CK® Mitigation

M0935: Limit Access to Resource Over Network

Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.

ICSM0935MitigationObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This mitigation is about reducing who and what can reach sensitive ICS resources over the network. For executives and security leaders, the value is resilience: unnecessary file shares, remote access paths, and exposed services can turn a routine credential or remote-access issue into operational risk. The key decision is whether remote connectivity is intentionally brokered through controlled access points, such as concentrators or remote access gateways, rather than left broadly reachable.

Executive priority

Prioritize this where remote administration, vendor access, or external connectivity touches control-system environments. It supports defensible control evidence for IEC 62443 and NIST SP 800-53 access-control and boundary-protection expectations, and it gives incident responders clearer containment options when external remote services are suspected. Leaders should ask: which ICS resources are reachable over networks, which access paths are business-justified, who owns exceptions, and how quickly can access be restricted during an incident?

Technical view

ATT&CK identifies this as an ICS mitigation for limiting network access to resources, including file shares, remote access to systems, and unnecessary services. It specifically mitigates External Remote Services (T0822), where VPNs, Citrix, remote service gateways, or similar mechanisms may provide initial access into an environment. SOC, IR, and architecture teams should validate that remote access is centralized through approved gateways or concentrators, unnecessary services are removed or blocked, and access to file shares and administrative interfaces is restricted to defined users, systems, and network paths.

Likely telemetry

  • Remote access gateway and VPN authentication logs
  • Network concentrator or gateway connection logs
  • Firewall, access-control list, and boundary device logs
  • File share access logs where available
  • Service exposure or listening-service inventory

Detection direction

  • No official ATT&CK detection guidance is provided for this mitigation, so detection should focus on validating control effectiveness rather than assuming a specific analytic.
  • Monitor for access to ICS resources that bypasses approved remote access gateways, concentrators, or controlled network paths.
  • Review remote access logs for unusual source locations, accounts, times, or systems, while accounting for legitimate vendor and administrative maintenance activity.
  • Compare observed network reachability against approved access rules to identify exposed file shares, remote administration services, or unnecessary services.
  • Use the relationship to T0822 as context: detection engineering should pay particular attention to external remote services that can reach internal control-system resources.

Mitigation priorities

  • Inventory externally reachable and internally reachable ICS resources, including file shares, remote administration services, and other network services.
  • Remove or disable unnecessary services and file shares where business need is not documented.
  • Route required remote access through approved control points such as network concentrators, RDP gateways, or equivalent remote access gateways.
  • Restrict access by user, system, network path, and business purpose; document exceptions and owners.
  • Maintain audit evidence aligned to the supplied control mappings: IEC 62443 SR/CR 5.1 and NIST SP 800-53 AC-3 and SC-7.
Analyst notes and limits

This is a mitigation object, not an adversary technique. Its strongest decision value is in architecture review, remote access governance, and incident containment planning for ICS environments. The supplied relationship to External Remote Services makes vendor access, VPN-style connectivity, and remote service gateways especially important review areas.

Platforms and tactics are not specified, and MITRE provides no official detection text for this object. Local architecture, asset inventory, remote access design, and logging capabilities are required to determine actual coverage and gaps. This take does not assert active exploitation, attribution, or guaranteed detection.

Official MITRE ATT&CK definition

Limit Access to Resource Over Network

Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
ICS T0822 External Remote Services

Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems.
Relationship explorer

All related ATT&CK context

mitigates · Technique T0822: External Remote Services ICS
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
1e20514ec336ab3f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 1e20514ec336…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack M0935
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use