What starting position does this attack require?

The first step is Issue commands via legit UI (T1078) — a initial access primitive. Assumed environment: foothold inside corporate IT.

What is the final impact of this kill-chain?

The final step lands on Suppress alarms / falsify operator view (OT-SAFETY-OVERRIDE), which falls under Impact. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

HMI default credentials → operations disruption

Wonderware / iFix HMI exposed to the corporate network with vendor-default credentials. Operators see attacker-controlled values + commands sent to PLCs through legit channels.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

Issue commands via legit UI

T1078 · Valid Accounts

Discovery

Identify HMI server (Wonderware / iFix / Ignition)

N-NMAP-INTERNAL · Internal Nmap Sweep

Impact

Send dangerous setpoints to PLCs

OT-MODBUS-WRITE · Modbus TCP Write to PLC

Initial Access

Vendor-default admin credentials

OT-HMI-DEFAULTS · HMI Default Credentials

Impact

Suppress alarms / falsify operator view

OT-SAFETY-OVERRIDE · Safety Instrumented System Override

§ Context

Assumed environment: foothold inside corporate IT. HMI server reachable from there. Credentials never rotated from vendor defaults / shared across sites.

§ Steps

01
Issue commands via legit UIInitial Access
T1078— Valid Accounts
02
Identify HMI server (Wonderware / iFix / Ignition)Discovery
N-NMAP-INTERNAL— Internal Nmap Sweep
03
Send dangerous setpoints to PLCsImpact
OT-MODBUS-WRITE— Modbus TCP Write to PLC
04
Vendor-default admin credentialsInitial Access
OT-HMI-DEFAULTS— HMI Default Credentials
05
Suppress alarms / falsify operator viewImpact
OT-SAFETY-OVERRIDE— Safety Instrumented System Override

§ References

T1078Valid Accounts

§ Frequently asked

What is the "HMI default credentials → operations disruption" attack path?: Wonderware / iFix HMI exposed to the corporate network with vendor-default credentials. Operators see attacker-controlled values + commands sent to PLCs through legit channels. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Issue commands via legit UI (T1078) — a initial access primitive. Assumed environment: foothold inside corporate IT.
What is the final impact of this kill-chain?: The final step lands on Suppress alarms / falsify operator view (OT-SAFETY-OVERRIDE), which falls under Impact. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

HMI default credentials → operations disruption

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Industroyer2 IEC-104 substation hijack

z/OS TN3270 → RACF userID brute → mainframe shell

Reconfigure MFP LDAP → harvest service-account credentials

Open MQTT broker → smart-estate takeover

Engineering workstation → push payload to PLC

Reachable Modbus PLC → direct register override