M0804: Human User Authentication
Require user authentication before allowing access to data or accepting commands to a device. While strong multi-factor authentication is preferable, it is not always feasible within ICS environments. Performing strong user authentication also requires additional security controls and processes which are often the target of related adversarial techniques (e.g., Valid Accounts, Default Credentials). Therefore, associated ATT&CK mitigations should be considered in addition to this, including Multi-factor Authentication, Account Use Policies, Password Policies, User Account Management, Privileged Account Management, and User Account Control.
Analyst context for executives and security teams
Human User Authentication is a foundational ICS control: require a known user to authenticate before data access or device commands are accepted. Its business value is not just “logins”; it creates accountability around high-consequence actions such as controller changes, firmware updates, restarts/shutdowns, alarm changes, operating mode changes, and program upload/download activity. In ICS, strong MFA may not always be feasible, so leaders should treat this as a control-design and compensating-control question, not a checkbox.
Executive priority
Prioritize this mitigation where unauthenticated or weakly authenticated access could affect process availability, safety response functions, controller logic, firmware integrity, or operational visibility. It also supports compliance evidence mapped by ATT&CK to IEC 62443 SR/CR 1.1 and NIST SP 800-53 IA-2. Executives should ask which engineering workstations, remote services, device interfaces, and controller functions still accept commands without named-user authentication, and whether compensating controls are documented where MFA or modern authentication cannot be deployed.
Technical view
For SOC, IR, and OT engineering teams, validate authentication enforcement around the behaviors this mitigation is mapped to: firmware update mode, device restart/shutdown, controller tasking changes, parameter changes, alarm setting changes, program download/upload, online edit, program append, operating mode changes, API execution, remote services, common-port access, and firmware modification. Because ATT&CK provides no detection guidance for M0804, detection engineering should focus on proving whether authentication events and privileged engineering actions are logged, attributable to a user, time-correlated with device commands, and retained for investigation.
Likely telemetry
- Authentication success and failure logs for engineering workstations, jump hosts, remote services, device web interfaces, CLIs, and vendor engineering software where available
- User-to-action audit records for controller program upload/download, online edit, program append, parameter changes, alarm setting changes, firmware update actions, and restart/shutdown commands
- Remote access and session records for RDP, SMB, SSH, and similar services used to interact with ICS assets
- Network records showing access to commonly used ports and ICS device management interfaces, especially when application-level user identity is not visible
- Account inventory and privilege assignment records for standard users, engineering users, service accounts, and privileged accounts
Detection direction
- First validate visibility: many ICS devices and legacy interfaces may not produce sufficient user-level audit logs, so absence of authentication telemetry is itself a coverage gap.
- Tune detections around authenticated-but-risky actions, not only failed logins: program download/upload, online edit, firmware update mode, operating mode changes, alarm changes, parameter changes, and restart/shutdown events should be reviewed against approved maintenance activity.
- Correlate remote service sessions and engineering workstation logons with downstream device commands to preserve user accountability when the controller only sees the workstation or application.
- Watch for use of shared, default, or privileged accounts because MITRE notes related adversarial techniques such as Valid Accounts and Default Credentials can target the surrounding authentication process.
- Expect false positives during scheduled maintenance, commissioning, firmware updates, and emergency operations; use change windows, asset criticality, and operator authorization as tuning context.
Mitigation priorities
- Require user authentication before allowing data access or accepting device commands wherever the ICS asset and workflow support it.
- Prefer strong multi-factor authentication where feasible, while documenting compensating controls where ICS constraints prevent it.
- Pair authentication with related ATT&CK mitigations named by MITRE: Multi-factor Authentication, Account Use Policies, Password Policies, User Account Management, Privileged Account Management, and User Account Control.
- Eliminate or tightly govern shared, default, and unmanaged accounts, especially for engineering software, remote services, and device administration paths.
- Prioritize highest-consequence functions first: firmware changes, controller program changes, operating mode changes, restart/shutdown, alarm changes, and parameter modification.
Analyst notes and limits
This is an ICS mitigation object, not a technique. Its value is relationship-driven: it mitigates many high-consequence ICS behaviors involving controller logic, firmware, device state, remote services, and process visibility. The ATT&CK record explicitly cautions that MFA is preferable but not always feasible in ICS, so practical assessment should focus on named-user accountability, privileged access governance, and compensating controls.
MITRE provides no official detection text, no specific platforms, and no tactics for this object. Local architecture, device capabilities, vendor logging support, remote access design, and engineering workflow evidence are required to determine actual enforceability and monitoring coverage.
Human User Authentication
Require user authentication before allowing access to data or accepting commands to a device. While strong multi-factor authentication is preferable, it is not always feasible within ICS environments. Performing strong user authentication also requires additional security controls and processes which are often the target of related adversarial techniques (e.g., Valid Accounts, Default Credentials). Therefore, associated ATT&CK mitigations should be considered in addition to this, including Multi-factor Authentication, Account Use Policies, Password Policies, User Account Management, Privileged Account Management, and User Account Control.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0838 | Modify Alarm Settings | All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management. |
| ICS | T0885 | Commonly Used Port | All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management. |
| ICS | T0858 | Change Operating Mode | All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management. |
| ICS | T0816 | Device Restart/Shutdown | All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management. |
| ICS | T0843.002 | Online Edit Sub-technique | All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management. |
| ICS | T0868 | Detect Operating Mode | All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management. |
| ICS | T1693.001 | System Firmware Sub-technique | Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management. |
| ICS | T0821 | Modify Controller Tasking | All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management. |
| ICS | T0843.003 | Program Append Sub-technique | All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management. |
| ICS | T0800 | Activate Firmware Update Mode | Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management |
| ICS | T0886 | Remote Services | All remote services should require strong authentication before providing user access. |
| ICS | T0861 | Point & Tag Identification | All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management. |
| ICS | T1693 | Modify Firmware | Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management. |
| ICS | T0843.001 | Download All Sub-technique | All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management. |
| ICS | T0836 | Modify Parameter | All field controllers should require that user authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management. |
| ICS | T0871 | Execution through API | All APIs on remote systems or local processes should require the authentication of users before executing any code or system changes. |
| ICS | T1693.002 | Module Firmware Sub-technique | Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management. |
| ICS | T0845 | Program Upload | All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management. |
| ICS | T0843 | Program Download | All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management. |
| ICS | T0889 | Modify Program | All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 0d65f4c44ee0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M0804Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.