M0915: Active Directory Configuration
Configure Active Directory to prevent use of certain techniques; use security identifier (SID) Filtering, etc.
Analyst context for executives and security teams
Active Directory Configuration matters because weak directory trust, account, and SID handling can let stolen or default credentials remain useful across connected environments. In an ICS context, this mitigation is decision-relevant because identity controls may be one of the few barriers between a compromised account and access to operational resources. The supplied ATT&CK object specifically calls out configuring Active Directory to prevent certain techniques, including use of SID Filtering.
Executive priority
Treat this as an identity-risk and resilience control, not just a Windows administration task. Leaders should ask whether Active Directory configuration is reviewed as part of ICS access governance, whether trust relationships and inherited privileges are understood, and whether evidence exists for audits or incident reviews. Because this mitigation is linked to Valid Accounts, priority should be highest where AD-backed access can reach sensitive operational systems, remote access paths, or privileged service accounts.
Technical view
SOC, IAM, and IR teams should validate whether Active Directory settings reduce the usefulness of compromised or default accounts associated with the related Valid Accounts technique. The ATT&CK entry does not provide detection guidance or platforms, so teams should base validation on local directory architecture and ICS access paths. Practical review areas include SID Filtering where applicable, trust configuration, privileged group membership, service account configuration, and whether AD changes affecting access to operational resources are logged and reviewable.
Likely telemetry
- Active Directory configuration and trust relationship records
- Directory audit logs for account, group, and privilege changes
- Authentication logs for user and service accounts
- Administrative change records for domain, trust, and policy configuration
- Access control evidence for systems or resources relying on Active Directory
Detection direction
- Confirm that monitoring can show when AD configuration changes alter access to ICS-relevant resources.
- Tune reviews around high-risk identity changes, especially privileged group membership, trust changes, service account changes, and authentication patterns involving accounts with operational access.
- Account for false positives from legitimate administration by correlating changes with approved maintenance windows and change tickets.
- Because ATT&CK provides no official detection text for this mitigation, detection engineering should be validated against local AD design, trust boundaries, and the related Valid Accounts behavior.
Mitigation priorities
- Review Active Directory configuration supporting access to operational environments and document the intended trust and privilege model.
- Apply SID Filtering where relevant to reduce abuse across trust boundaries, consistent with the official mitigation description.
- Reduce exposure from compromised or default credentials by tightening account privileges, service account use, and access paths tied to operational resources.
- Establish recurring evidence collection for AD configuration reviews, privileged access reviews, and change approval.
- Integrate AD configuration checks into incident response playbooks for suspected Valid Accounts activity.
Analyst notes and limits
This is a mitigation object in the ICS ATT&CK domain, not a technique. Its value comes from reducing the effectiveness of Valid Accounts by hardening Active Directory configuration. The relationship context is important: compromised or default credentials may bypass access controls and support persistent access, so AD configuration should be reviewed alongside credential hygiene and privileged access governance.
The official object is sparse: no platforms, tactics, or detection guidance are specified. This take therefore avoids claims about specific operating systems, tools, adversaries, active exploitation, or guaranteed detection. Local architecture is required to determine whether Active Directory is in scope for a given ICS environment and which logs or controls provide evidence.
Active Directory Configuration
Configure Active Directory to prevent use of certain techniques; use security identifier (SID) Filtering, etc.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0859 | Valid Accounts | Consider configuration and use of a network-wide authentication service such as Active Directory, LDAP, or RADIUS capabilities which can be found in ICS devices. CitationKeith Stouffer May 2015 CitationSchweitzer Engineering Laboratories August 2015 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 32271984f426… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M0915Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.