Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T0886: Remote Services

Adversaries may leverage remote services to move between assets and network segments. These services are often used to allow operators to interact with systems remotely within the network, some examples are RDP, SMB, SSH, and other similar mechanisms. [1] [2] [3]

Remote services could be used to support remote access, data transmission, authentication, name resolution, and other remote functions. Further, remote services may be necessary to allow operators and administrators to configure systems within the network from their engineering or management workstations. An adversary may use this technique to access devices which may be dual-homed [1] to multiple network segments, and can be used for Program Download or to execute attacks on control devices directly through Valid Accounts.

Specific remote services (RDP & VNC) may be a precursor to enable Graphical User Interface execution on devices such as HMIs or engineering workstation software.

Based on incident data, CISA and FBI assessed that Chinese state-sponsored actors also compromised various authorized remote access channels, including systems designed to transfer data and/or allow access between corporate and ICS networks. [4]

ICST0886TechniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Remote Services in ICS matters because the same remote access paths that keep plants, substations, and industrial sites maintainable can also let an intruder move between business, engineering, and control-network segments. The business issue is not simply “RDP or SSH exists”; it is whether authorized remote administration, VPNs, jump hosts, data gateways, HMIs, historians, and control servers are tightly governed, logged, and segmented enough to prevent a valid connection from becoming a path to operational disruption.

Executive priority

Treat this as an operational resilience and access-governance priority. Leaders should ask which remote services are required for safe operations, who is authorized to use them, whether corporate-to-ICS paths are mediated through controlled access points, and whether evidence exists for audits and incident response. The technique is linked in ATT&CK to major ICS campaigns and to assets that often bridge operational and business needs, so budget decisions should prioritize identity controls, segmentation, remote access monitoring, and tested IR playbooks over broad, unmanaged connectivity.

Technical view

ATT&CK provides no tactic, platform, or official detection text for T0886, but the description and relationships give clear validation targets. SOC and IR teams should map remote services such as RDP, SMB, SSH, VNC, VPN access, and other remote functions across ICS network segments, especially where jump hosts, VPN servers, data gateways, HMIs, historians, control servers, application servers, switches, and DCS controllers are involved. Validate whether remote access can reach dual-homed systems or systems used for program download, valid-account access, or graphical interaction with HMI and engineering software. Use the related DET0804 detection strategy as the ATT&CK-linked detection reference, then test whether local telemetry can distinguish approved operator/admin sessions from unusual cross-segment movement.

Likely telemetry

  • VPN server authentication and session records
  • Jump host login, session, and command/activity logs
  • RDP, VNC, SSH, SMB, and other remote service connection logs where available
  • Windows/Linux authentication and account-use events on HMIs, historians, control servers, and application servers
  • Network flow records showing source, destination, port, protocol, and segment traversal

Detection direction

  • Start with an allowlisted baseline of expected remote service paths: approved users, source systems, destination assets, protocols, ports, time windows, and operational purpose.
  • Prioritize detections for remote access crossing network segments, especially corporate-to-ICS, jump-host-to-control-network, VPN-to-ICS, and data-gateway paths.
  • Correlate remote service logons with account context; Valid Accounts are explicitly referenced as a way attacks may be executed against control devices.
  • Tune for ICS operational realities: vendor maintenance, operator shifts, and engineering work can look anomalous without accurate change windows and asset ownership data.
  • Watch for remote GUI access to HMIs or engineering workstations because ATT&CK notes RDP and VNC may precede graphical user interface execution.

Mitigation priorities

  • Define and approve required remote services for each ICS segment and disable or block unnecessary paths.
  • Enforce authorization and role-based access where supported, using the ATT&CK-linked Authorization Enforcement and User Account Management mitigations as control anchors.
  • Require human user authentication for remote access; use strong authentication where feasible in the ICS environment and document compensating controls where it is not.
  • Use access management gateways or jump hosts to mediate access when field devices cannot enforce sufficient identity and authentication controls themselves.
  • Apply network segmentation so corporate, management, and control networks cannot reach critical process control systems except through approved paths.
Analyst notes and limits

This technique is especially material in ICS because remote services are often operationally necessary. The practical defensive question is whether the organization can prove that remote access is intentional, authenticated, least-privileged, segmented, monitored, and reviewable. The supplied relationships connect T0886 to multiple ICS assets and campaigns, including Ukraine electric power attacks, Triton, Poland wiper attacks, and REvil software usage in ICS context; those relationships support prioritization but do not by themselves prove exposure or current activity in any specific environment.

The supplied ATT&CK object has no specified tactics, no platforms on the technique itself, and no official detection text. Telemetry and detection guidance therefore must be validated against local architecture, vendor constraints, asset inventory, and logging availability. This take does not claim active exploitation, customer exposure, attribution, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Remote Services

Adversaries may leverage remote services to move between assets and network segments. These services are often used to allow operators to interact with systems remotely within the network, some examples are RDP, SMB, SSH, and other similar mechanisms. [1] [2] [3]

Remote services could be used to support remote access, data transmission, authentication, name resolution, and other remote functions. Further, remote services may be necessary to allow operators and administrators to configure systems within the network from their engineering or management workstations. An adversary may use this technique to access devices which may be dual-homed [1] to multiple network segments, and can be used for Program Download or to execute attacks on control devices directly through Valid Accounts.

Specific remote services (RDP & VNC) may be a precursor to enable Graphical User Interface execution on devices such as HMIs or engineering workstation software.

Based on incident data, CISA and FBI assessed that Chinese state-sponsored actors also compromised various authorized remote access channels, including systems designed to transfer data and/or allow access between corporate and ICS networks. [4]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Malware ICS

S1045: INCONTROLLER

INCONTROLLER is custom malware that includes multiple modules tailored towards ICS devices and technologies, including Schneider Electric and Omron PLCs as well as OPC UA, Modbus, and CODESYS protocols. INCONTROLLER has the ability to discover specific devices, download logic on the devices, and exploit platform-specific vulnerabilities. As of September 2022, some security researchers assessed INCONTROLLER was developed by CHERNOVITE.[1][2][3][4][5]

Engineering WorkstationField Controller/RTU/PLC/IEDSafety Instrumented System/Protection Relay
Malware ICS

S0496: REvil

REvil is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ransomware-as-a-service (RaaS) since at least April 2019. REvil, which as been used against organizations in the manufacturing, transportation, and electric sectors, is highly configurable and shares code similarities with the GandCrab RaaS.[1][2][3]

Windows
Malware ICS

S0603: Stuxnet

Stuxnet was the first publicly reported malware to specifically target industrial control systems devices. Stuxnet is a large and complex malware that utilized multiple behaviors, including numerous zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.[1][2][3][4] Stuxnet was discovered in 2010, with some components being used as early as November 2008.[1]

Windows
Campaign ICS

C0030: Triton Safety Instrumented System Attack

Triton Safety Instrumented System Attack was a campaign employed by TEMP.Veles which leveraged the Triton malware framework against a petrochemical organization.[1] The malware and techniques used within this campaign targeted specific Triconex Safety Controllers within the environment.[2] The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.[3]

Campaign ICS

C0063: 2025 Poland Wiper Attacks

2025 Poland Wiper Attacks is a Russian state-sponsored campaign that conducted destructive cyberattacks against Polish energy infrastructure in December 2025. Targets included more than 30 wind and photovoltaic farms, a combined heat and power (CHP) plant, and a manufacturing sector company. The attacks on the distributed energy resources (DER) disrupted communications between affected facilities and the distribution system operator, but did not impact electricity generation or heat supply. Across the campaign, threat actors deployed two previously undocumented wiper tools, DynoWiper, a Windows-based wiper and LazyWiper, a PowerShell wiper, distributed via malicious Group Policy Objects. At the CHP plant, threat actors had maintained access since at least March 2025, using that foothold to obtain credentials and move laterally before attempting wiper deployment. Some reporting has assessed the activity to be consistent with Russian Federal Security Service (FSB) threat activity group Dragonfly, also tracked as STATIC TUNDRA, while other reporting attributes the destructive wiper activities to the Russian General Staff Main Intelligence Directorate (GRU) threat activity group ELECTRUM, also tracked as Sandworm Team.[1][2][3][4]

Relationship explorer

All related ATT&CK context

uses · Malware S1045: INCONTROLLER ICS uses · Campaign C0028: 2015 Ukraine Electric Power Attack ICS targets · ICS Asset A0007: Control Server ICS mitigates · Mitigation M0813: Software Process and Device Authentication ICS targets · ICS Asset A0015: Switch ICS mitigates · Mitigation M0800: Authorization Enforcement ICS uses · Campaign C0025: 2016 Ukraine Electric Power Attack ICS mitigates · Mitigation M0930: Network Segmentation ICS mitigates · Mitigation M0927: Password Policies ICS targets · ICS Asset A0017: Distributed Control System (DCS) Controller ICS targets · ICS Asset A0008: Application Server ICS mitigates · Mitigation M0804: Human User Authentication ICS mitigates · Mitigation M0807: Network Allowlists ICS detects · Detection Strategy DET0804: Detection of Remote Services ICS targets · ICS Asset A0002: Human-Machine Interface (HMI) ICS mitigates · Mitigation M0918: User Account Management ICS mitigates · Mitigation M0801: Access Management ICS uses · Campaign C0030: Triton Safety Instrumented System Attack ICS targets · ICS Asset A0011: Virtual Private Network (VPN) Server ICS targets · ICS Asset A0006: Data Historian ICS uses · Malware S0496: REvil ICS uses · Malware S0603: Stuxnet ICS targets · ICS Asset A0012: Jump Host ICS uses · Campaign C0063: 2025 Poland Wiper Attacks ICS
Mitigations

Mitigation direction

Mitigation ICS

M0813: Software Process and Device Authentication

Require the authentication of devices and software processes where appropriate. Devices that connect remotely to other systems should require strong authentication to prevent spoofing of communications. Furthermore, software processes should also require authentication when accessing APIs.

Mitigation ICS

M0800: Authorization Enforcement

The device or system should restrict read, manipulate, or execute privileges to only authenticated users who require access based on approved security policies. Role-based Access Control (RBAC) schemes can help reduce the overhead of assigning permissions to the large number of devices within an ICS. For example, IEC 62351 provides examples of roles used to support common system operations within the electric power sector [1], while IEEE 1686 defines standard permissions for users of IEDs. [2]

Mitigation ICS

M0930: Network Segmentation

Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Restrict network access to only required systems and services. In addition, prevent systems from other networks or business functions (e.g., enterprise) from accessing critical process control systems. For example, in IEC 62443, systems within the same secure level should be grouped into a zone, and access to that zone is restricted by a conduit, or mechanism to restrict data flows between zones by segmenting the network. [1] [2]

Mitigation ICS

M0804: Human User Authentication

Require user authentication before allowing access to data or accepting commands to a device. While strong multi-factor authentication is preferable, it is not always feasible within ICS environments. Performing strong user authentication also requires additional security controls and processes which are often the target of related adversarial techniques (e.g., Valid Accounts, Default Credentials). Therefore, associated ATT&CK mitigations should be considered in addition to this, including Multi-factor Authentication, Account Use Policies, Password Policies, User Account Management, Privileged Account Management, and User Account Control.

Mitigation ICS

M0807: Network Allowlists

Network allowlists can be implemented through either host-based files or system hosts files to specify what connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in Filter Network Traffic mitigation.

Mitigation ICS

M0801: Access Management

Access Management technologies can be used to enforce authorization polices and decisions, especially when existing field devices do not provide sufficient capabilities to support user identification and authentication. [1] These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials. [2]

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
39f96f37549fd237...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 39f96f37549f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017

    Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer 2017, December 14 Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure Retrieved. 2018/01/12

    Open source URL
  2. [2]
    Dragos December 2017

    Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12

    Open source URL
  3. [3]
    Joe Slowik April 2019

    Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27

    Open source URL
  4. [4]
    CISA AA21-201A Pipeline Intrusion July 2021

    Department of Justice (DOJ), DHS Cybersecurity & Infrastructure Security Agency (CISA) 2021, July 20 Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013 Retrieved. 2021/10/08

    Open source URL
  5. [5]
    mitre-attack T0886
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use