M0917: User Training
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.
Analyst context for executives and security teams
User Training (M0917) matters because several ICS-related adversary behaviors depend on people opening malicious attachments, enabling content, installing software, granting permissions, or mishandling sensitive control-system information. For executives and security leaders, the value is not generic awareness training; it is whether personnel who can access ICS designs, repositories, local files, and operational documentation can recognize and report manipulation attempts before they become execution or data collection events.
Executive priority
Treat this as a resilience and governance control for environments where human interaction can expose ICS information or enable malicious code execution. Leaders should ask whether training is role-based for personnel with access to control-system layouts, schematics, specifications, reference databases, and related corporate repositories; whether phishing and social-engineering reporting processes are measured; and whether audit evidence aligns to NIST SP 800-53 Rev. 5 AT-2. Training should be prioritized alongside technical controls, not used as a substitute for email security, access control, monitoring, and incident response readiness.
Technical view
ATT&CK does not provide a detection section for this mitigation, so validation should focus on control effectiveness and supporting telemetry. SOC, IR, and detection teams should confirm they can observe and investigate user-driven events related to the mitigated techniques: suspicious email attachments, document execution or scripting enablement, software installation prompts, permission grants, and access to sensitive ICS repositories or local files. Relationship context links this mitigation to User Execution, Spearphishing Attachment, Data from Information Repositories, and Data from Local System, so training scenarios and response playbooks should be tested against those behaviors.
Likely telemetry
- Security awareness and role-based training completion records
- Phishing simulation results and user reporting metrics
- User-submitted suspicious email reports and help desk tickets
- Email security logs for attachments and suspected spearphishing messages
- Endpoint or application logs showing document opening, scripting or macro enablement, installer execution, or permission prompts where collected
Detection direction
- Do not measure this mitigation only by training completion; validate whether users report suspicious attachments and manipulation attempts quickly enough for SOC response.
- Tune monitoring and triage around user interaction paths described in the related techniques, especially attachment handling, document scripting enablement, software installation, and access to sensitive ICS documentation.
- Correlate user reports with email, endpoint, repository, and help desk evidence to distinguish benign mistakes from potentially malicious social-engineering activity.
- Identify blind spots where ICS engineers, contractors, or operations staff have access to sensitive repositories but are not covered by role-specific training or reporting workflows.
- Account for false positives: users may open legitimate engineering documents, installers, or operational files as part of normal work, so detection should use context, sensitivity of data, and unusual interaction patterns rather than training data alone.
Mitigation priorities
- Prioritize role-based training for users with access to ICS information repositories, local engineering files, control-system diagrams, specifications, and process documentation.
- Include practical scenarios for spearphishing attachments, malicious document prompts, software installers, permission requests, and attempts to elicit sensitive operational information.
- Make reporting simple and measurable so suspicious emails, attachments, and social-engineering attempts reach the SOC or incident response function quickly.
- Use training results to improve technical controls and playbooks, including email handling, endpoint monitoring, repository access governance, and incident escalation.
- Maintain evidence of training scope, completion, and effectiveness to support compliance readiness for the listed NIST SP 800-53 Rev. 5 AT-2 label.
Analyst notes and limits
This is an ICS ATT&CK mitigation, not a detection analytic. Its main decision value is confirming that awareness activities are tied to the specific human-enabled behaviors ATT&CK relates to it: spearphishing attachment, user execution, and collection of sensitive data from repositories or local systems. The most important local validation question is whether the people with access to high-value ICS information are trained, measured, and integrated into reporting and response workflows.
The supplied ATT&CK object does not specify platforms, tactics, aliases, or official detection guidance. The related technique descriptions are partially truncated in the source material. Any assessment of coverage, exposure, or effectiveness requires local evidence from training programs, access inventories, email and endpoint telemetry, repository logging, and incident response records.
User Training
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0863 | User Execution | Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. |
| ICS | T0865 | Spearphishing Attachment | Users can be trained to identify social engineering techniques and spearphishing emails. |
| ICS | T0893 | Data from Local System | Develop and publish policies that define acceptable information to be stored on local systems. |
| ICS | T0811 | Data from Information Repositories | Develop and publish policies that define acceptable information to be stored in repositories. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d9a665fd1d77… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M0917Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.