M0918: User Account Management
Manage the creation, modification, use, and permissions associated to user accounts.
Analyst context for executives and security teams
User Account Management is a foundational ICS mitigation: controlling who can create, change, use, and receive permissions for accounts. Its business value is strongest where compromised, default, stale, or over-privileged accounts could enable remote access, access to sensitive engineering information, alarm changes, or service disruption.
Executive priority
Treat this as an operational resilience and audit-evidence priority, not just an IT hygiene task. Leaders should ask whether account ownership, approval, privilege review, and removal processes cover the systems and repositories that support control operations, including remote access paths. The ATT&CK mappings connect this mitigation to risks involving Valid Accounts, External Remote Services, Remote Services, Data from Information Repositories, Modify Alarm Settings, and Service Stop, all of which can affect incident response confidence and continuity of operations in ICS environments.
Technical view
SOC, IR, IAM, and OT security teams should validate that account lifecycle controls are enforceable and observable for ICS-relevant systems, remote access mechanisms, information repositories, and operator/engineering functions. Because ATT&CK provides no official detection text and no platforms for this mitigation, local architecture must drive the control test plan. Focus validation on whether account creation, permission changes, remote login use, privileged actions, alarm-setting changes, and service-stop permissions can be traced to approved users and change records.
Likely telemetry
- User account creation, modification, disablement, and deletion records
- Group, role, and permission assignment changes
- Authentication and remote access logs for external and internal remote services
- Privileged account usage and administrative session records
- Access logs for repositories containing ICS specifications, schematics, diagrams, or process information
Detection direction
- Confirm logs exist for the account-management actions that matter most: creation, privilege escalation, role changes, disablement, and use of shared or service accounts.
- Correlate account activity with remote service use, especially where accounts provide access into or across control-system network segments.
- Review access to information repositories for unusual users, excessive permissions, or access outside approved operational need.
- Validate whether changes to alarm settings or service state require identifiable, authorized accounts and generate reviewable evidence.
- Tune reviews for expected maintenance and vendor-support activity to reduce false positives, while preserving accountability for temporary, emergency, or remote access.
Mitigation priorities
- Establish accountable ownership for all user and service accounts associated with ICS operations and supporting repositories.
- Define approval, modification, periodic review, and removal processes for account permissions, with extra scrutiny for remote access and privileged roles.
- Reduce unnecessary privileges and remove stale, default, or unused accounts where operationally feasible.
- Tie privileged and remote access to documented business need, maintenance windows, or approved support processes.
- Maintain audit evidence for account reviews and access changes to support compliance mappings referenced by ATT&CK, including IEC 62443 SR/CR 1.3 and NIST SP 800-53 AC-2.
Analyst notes and limits
This is a mitigation object, so the main decision value is control assurance: can the organization prove that account lifecycle and permission management reduce the opportunity for valid-account abuse, unauthorized remote access, repository collection, alarm tampering, or service interruption in ICS contexts? The relationship set makes identity governance a cross-cutting OT security control rather than a narrow administrative task.
ATT&CK provides only a brief mitigation description, no official detection guidance, no platforms, and no tactics for this object. The telemetry and validation guidance above are derived from the supplied mitigation purpose and its listed relationships, so each organization must confirm applicability against its own ICS architecture, account stores, remote access methods, and logging capabilities.
User Account Management
Manage the creation, modification, use, and permissions associated to user accounts.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0881 | Service Stop | Limit privileges of user accounts and groups so that only authorized administrators can change service states and configurations. |
| ICS | T0859 | Valid Accounts | Ensure users and user groups have appropriate permissions for their roles through Identity and Access Management (IAM) controls. Implement strict IAM controls to prevent access to systems except for the applications, users, and services that require access. Implement user accounts for each individual for enforcement and non-repudiation of actions. |
| ICS | T0838 | Modify Alarm Settings | Limit privileges of user accounts and groups so that only designated administrators or engineers can interact with alarm management and alarm configuration thresholds. |
| ICS | T0822 | External Remote Services | Consider utilizing jump boxes for external remote access. Additionally, dynamic account management may be used to easily remove accounts when not in use. |
| ICS | T0886 | Remote Services | Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs. |
| ICS | T0811 | Data from Information Repositories | Ensure users and user groups have appropriate permissions for their roles through Identity and Access Management (IAM) controls to prevent misuse. Implement user accounts for each individual that may access the repositories for role enforcement and non-repudiation of actions. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 346241fdb1cb… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M0918Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.