Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T0823: Graphical User Interface

Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard.

If physical access is not an option, then access might be possible via protocols such as VNC on Linux-based and Unix-based operating systems, and RDP on Windows operating systems. An adversary can use this access to execute programs and applications on the target machine.

ICST0823TechniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

GUI access matters in ICS because it can let an intruder interact with operational systems the same way an operator, engineer, or administrator would: by opening applications, clicking controls, and launching programs. ATT&CK does not provide a tactic or platform for T0823, but the relationships show relevance to workstations, HMIs, historians, control servers, application servers, data gateways, jump hosts, switches, and firewalls. For leaders, the practical issue is whether remote or local graphical access to critical OT assets is governed, logged, and reviewable.

Executive priority

Treat this as an operational resilience and evidence question: who can obtain GUI access to ICS assets, from where, through which jump hosts or remote access paths, and with what audit trail? Because MITRE maps the mitigation to 'Limited or Not Effective,' prevention alone should not be assumed. Priority should go to access governance, segmentation/jump-host control, monitoring, and incident response procedures for interactive sessions on critical OT systems. ATT&CK relationships to major ICS campaigns make this behavior material, but the supplied data does not support claims of current exploitation in any specific environment.

Technical view

SOC, detection engineering, and IR teams should inventory all approved GUI access paths, including physical console use and remote GUI protocols such as RDP and VNC as described by ATT&CK. Validate coverage for interactive sessions on targeted ICS asset classes: workstations, HMIs, historians, control servers, application servers, data gateways, jump hosts, switches, and firewalls. Since no official detection text is provided, use the related DET0772 detection strategy as a pointer, then build local logic around authentication, session establishment, process execution from interactive sessions, and boundary traversal into OT. Tune carefully for legitimate operator and engineering activity.

Likely telemetry

  • Authentication and interactive logon records for ICS hosts and jump hosts
  • RDP, VNC, or other remote GUI session logs where used
  • Jump host access records and session metadata
  • Endpoint process execution tied to interactive user sessions
  • Network flow or firewall logs showing GUI access paths into ICS segments

Detection direction

  • Confirm whether GUI access to critical ICS assets is observable end to end, not just allowed by policy.
  • Baseline normal operator, engineer, vendor, and administrator GUI sessions by source, destination, time, account, and asset role.
  • Alert on GUI access that bypasses expected jump hosts, crosses unusual network boundaries, uses unexpected accounts, or occurs outside approved operating windows.
  • Correlate session creation with program execution on HMIs, workstations, historians, and control servers.
  • Account for false positives from maintenance windows, vendor support, shift handoffs, and emergency operations.

Mitigation priorities

  • Do not rely on preventative controls alone; the supplied mitigation relationship states this behavior is difficult to mitigate because it abuses system features.
  • Limit GUI access paths to approved operational needs and validate that jump hosts and firewalls enforce those paths where present.
  • Apply strong access governance for accounts permitted to use GUI access on ICS assets, including periodic review and removal of unnecessary access.
  • Ensure remote GUI access is logged, monitored, and retained as compliance and incident response evidence.
  • Prepare IR playbooks for suspicious interactive sessions, including how to identify the user, source, target asset, session scope, and programs executed.
Analyst notes and limits

This take is based only on the supplied ATT&CK object, its external reference, and relationships. The technique has no official ATT&CK detection text, no specified tactic, and no specified platform at the technique level. Asset relationships provide the operational context: GUI access is relevant across multiple ICS asset types, especially human-operated systems and access-control points such as HMIs, workstations, and jump hosts.

Local architecture determines materiality. The supplied ATT&CK fields do not identify specific tools, commands, detection logic, or guaranteed mitigations. Teams must confirm which GUI protocols, physical access paths, operating systems, logging sources, and OT assets exist in their own environment before assessing coverage.

Official MITRE ATT&CK definition

Graphical User Interface

Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard.

If physical access is not an option, then access might be possible via protocols such as VNC on Linux-based and Unix-based operating systems, and RDP on Windows operating systems. An adversary can use this access to execute programs and applications on the target machine.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Campaign ICS

C0063: 2025 Poland Wiper Attacks

2025 Poland Wiper Attacks is a Russian state-sponsored campaign that conducted destructive cyberattacks against Polish energy infrastructure in December 2025. Targets included more than 30 wind and photovoltaic farms, a combined heat and power (CHP) plant, and a manufacturing sector company. The attacks on the distributed energy resources (DER) disrupted communications between affected facilities and the distribution system operator, but did not impact electricity generation or heat supply. Across the campaign, threat actors deployed two previously undocumented wiper tools, DynoWiper, a Windows-based wiper and LazyWiper, a PowerShell wiper, distributed via malicious Group Policy Objects. At the CHP plant, threat actors had maintained access since at least March 2025, using that foothold to obtain credentials and move laterally before attempting wiper deployment. Some reporting has assessed the activity to be consistent with Russian Federal Security Service (FSB) threat activity group Dragonfly, also tracked as STATIC TUNDRA, while other reporting attributes the destructive wiper activities to the Russian General Staff Main Intelligence Directorate (GRU) threat activity group ELECTRUM, also tracked as Sandworm Team.[1][2][3][4]

Relationship explorer

All related ATT&CK context

targets · ICS Asset A0009: Data Gateway ICS targets · ICS Asset A0006: Data Historian ICS targets · ICS Asset A0015: Switch ICS targets · ICS Asset A0002: Human-Machine Interface (HMI) ICS mitigates · Mitigation M0816: Mitigation Limited or Not Effective ICS targets · ICS Asset A0016: Firewall ICS targets · ICS Asset A0012: Jump Host ICS targets · ICS Asset A0001: Workstation ICS targets · ICS Asset A0007: Control Server ICS uses · Campaign C0028: 2015 Ukraine Electric Power Attack ICS uses · Campaign C0063: 2025 Poland Wiper Attacks ICS targets · ICS Asset A0008: Application Server ICS detects · Detection Strategy DET0772: Detection of Graphical User Interface ICS
Mitigations

Mitigation direction

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
852393a4a2f76efc...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 852393a4a2f7…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack T0823
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use