V
Scaner-VS
ENRU
HomeCatalogSourcesCWECAPECATT&CKMitigationsDocs
← Back to List
T0886ICS
Matrix: ICS
Status: Active
STIX: 19.0
Source ↗

Remote Services

Adversaries may leverage remote services to move between assets and network segments. These services are often used to allow operators to interact with systems remotely within the network, some examples are RDP, SMB, SSH, and other similar mechanisms. Remote services could be used to support remote access, data transmission, authentication, name resolution, and other remote functions. Further, remote services may be necessary to allow operators and administrators to configure systems within the network from their engineering or management workstations. An adversary may use this technique to access devices which may be dual-homed to multiple network segments, and can be used for Program Download or to execute attacks on control devices directly through Valid Accounts. Specific remote services (RDP & VNC) may be a precursor to enable Graphical User Interface execution on devices such as HMIs or engineering workstation software. Based on incident data, CISA and FBI assessed that Chinese state-sponsored actors also compromised various authorized remote access channels, including systems designed to transfer data and/or allow access between corporate and ICS networks.

Tactics

Initial AccessLateral Movement

Platforms

None

Mitigations

M0800
Authorization Enforcement
M0801
Access Management
M0804
Human User Authentication
M0807
Network Allowlists
M0813
Software Process and Device Authentication
M0918
User Account Management
M0927
Password Policies
M0930
Network Segmentation
M0937
Filter Network Traffic
Open in catalog with ATT&CK filter →

Related CAPECs

Affected vulnerabilities (Inferred)

View on attack.mitre.org ↗
No matches — refine the filter to see a result.