Valid Accounts, Technique T0859 - ICS

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v16/theme/favicon.ico" type='image/x-icon'> <title>Valid Accounts, Technique T0859 - ICS | MITRE ATT&CK®</title>   <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap-tourist.css" /> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap-select.min.css" />  <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/versions/v16/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1">  <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href="/versions/v16/"><img src="/versions/v16/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/versions/v16/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/versions/v16/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/groups">Groups</a> <a class="dropdown-item" href="/versions/v16/software">Software</a> <a class="dropdown-item" href="/versions/v16/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/resources/">Get Started</a> <a class="dropdown-item" href="/versions/v16/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/versions/v16/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v16/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/versions/v16/resources/faq/">FAQ</a> <a class="dropdown-item" href="/versions/v16/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/versions/v16/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/versions/v16/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>  <img src="/versions/v16/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1">  <div class="col px-0">  <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v16/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v16.1" target="_blank">ATT&CK v16.1</a> which is the current version of ATT&CK. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div class="container-fluid d-none"> ATT&CKcon 6.0 returns October 14-15, 2025 in McLean, VA. More details about tickets and our CFP can be found <a href='https://na.eventscloud.com/attackcon6'>here</a> </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0">   <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div>  <div id="sidebars"></div>  </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v16/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v16/techniques/ics">Techniques</a></li> <li class="breadcrumb-item"><a href="/versions/v16/techniques/ics">ICS</a></li> <li class="breadcrumb-item">Valid Accounts</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> Valid Accounts </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p>Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way. </p><p>Adversaries may also create accounts, sometimes using predefined account names and passwords, to provide a means of backup access for persistence. <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 "data-reference="Booz Allen Hamilton"><sup><a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> </p><p>The overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) and possibly between the enterprise and operational technology environments. Adversaries may be able to leverage valid credentials from one system to gain access to another system.</p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID: </span>T0859 </div> </div>  <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Sub-techniques: </span> No sub-techniques </div> </div>  <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The tactic objectives that the (sub-)technique can be used to accomplish">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Tactics:</span> <a href="/versions/v16/tactics/TA0110">Persistence</a>, <a href="/versions/v16/tactics/TA0109">Lateral Movement</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">ⓘ</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms: </span>None </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version: </span>1.1 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created: </span>21 May 2020 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified: </span>13 October 2023 </div> </div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T0859" href="/versions/v16/techniques/T0859/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T0859" href="/techniques/T0859/" data-test-ignore="true">Live Version</a> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v16/campaigns/C0028"> C0028 </a> </td> <td> <a href="/versions/v16/campaigns/C0028"> 2015 Ukraine Electric Power Attack </a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> used valid accounts to laterally move through VPN connections and dual-homed systems. Sandworm Team used the credentials of valid accounts to interact with client applications and access employee workstations hosting HMI applications. <span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018."data-reference="Ukraine15 - EISAC - 201603"><sup><a href="https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 "data-reference="Booz Allen Hamilton"><sup><a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/campaigns/C0025"> C0025 </a> </td> <td> <a href="/versions/v16/campaigns/C0025"> 2016 Ukraine Electric Power Attack </a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> used valid accounts to laterally move through VPN connections and dual-homed systems.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018"><sup><a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G1000"> G1000 </a> </td> <td> <a href="/versions/v16/groups/G1000"> ALLANITE </a> </td> <td> <p><a href="/versions/v16/groups/G1000">ALLANITE</a> utilized credentials collected through phishing and watering hole attacks. <span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Dragos Allanite Retrieved. 2019/10/27 "data-reference="Dragos"><sup><a href="https://dragos.com/resource/allanite/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0089"> S0089 </a> </td> <td> <a href="/versions/v16/software/S0089"> BlackEnergy </a> </td> <td> <p><a href="/versions/v16/software/S0089">BlackEnergy</a> utilizes valid user and administrator credentials, in addition to creating new administrator accounts to maintain presence. <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 "data-reference="Booz Allen Hamilton"><sup><a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1045"> S1045 </a> </td> <td> <a href="/versions/v16/software/S1045"> INCONTROLLER </a> </td> <td> <p><a href="/versions/v16/software/S1045">INCONTROLLER</a> can brute force password-based authentication to Schneider PLCs over the CODESYS protocol (UDP port 1740).<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022."data-reference="CISA-AA22-103A"><sup><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p><p><a href="/versions/v16/software/S1045">INCONTROLLER</a> can perform brute force guessing of passwords to OPC UA servers using a predefined list of passwords.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022."data-reference="CISA-AA22-103A"><sup><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30."data-reference="Wylie-22"><sup><a href="https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0049"> G0049 </a> </td> <td> <a href="/versions/v16/groups/G0049"> OilRig </a> </td> <td> <p><a href="/versions/v16/groups/G0049">OilRig</a> utilized stolen credentials to gain access to victim machines.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Dragos Allanite Retrieved. 2019/10/27 "data-reference="Dragos"><sup><a href="https://dragos.com/resource/allanite/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/campaigns/C0030"> C0030 </a> </td> <td> <a href="/versions/v16/campaigns/C0030"> Triton Safety Instrumented System Attack </a> </td> <td> <p>In the <a href="https://attack.mitre.org/campaigns/C0030">Triton Safety Instrumented System Attack</a>, <a href="/versions/v16/groups/G0088">TEMP.Veles</a> used valid credentials when laterally moving through RDP jump boxes into the ICS environment.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved January 6, 2021."data-reference="FireEye TRITON 2018"><sup><a href="https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-TRITON-and-tristation.html" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a></sup></span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id ="assets">Targeted Assets</h2> <table class="table table-bordered table-alternate mt-2" aria-describedby="asset-table"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Asset</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v16/assets/A0008"> A0008 </a> </td> <td> <a href="/versions/v16/assets/A0008"> Application Server </a> </td> </tr> <tr> <td> <a href="/versions/v16/assets/A0007"> A0007 </a> </td> <td> <a href="/versions/v16/assets/A0007"> Control Server </a> </td> </tr> <tr> <td> <a href="/versions/v16/assets/A0009"> A0009 </a> </td> <td> <a href="/versions/v16/assets/A0009"> Data Gateway </a> </td> </tr> <tr> <td> <a href="/versions/v16/assets/A0006"> A0006 </a> </td> <td> <a href="/versions/v16/assets/A0006"> Data Historian </a> </td> </tr> <tr> <td> <a href="/versions/v16/assets/A0013"> A0013 </a> </td> <td> <a href="/versions/v16/assets/A0013"> Field I/O </a> </td> </tr> <tr> <td> <a href="/versions/v16/assets/A0002"> A0002 </a> </td> <td> <a href="/versions/v16/assets/A0002"> Human-Machine Interface (HMI) </a> </td> </tr> <tr> <td> <a href="/versions/v16/assets/A0005"> A0005 </a> </td> <td> <a href="/versions/v16/assets/A0005"> Intelligent Electronic Device (IED) </a> </td> </tr> <tr> <td> <a href="/versions/v16/assets/A0012"> A0012 </a> </td> <td> <a href="/versions/v16/assets/A0012"> Jump Host </a> </td> </tr> <tr> <td> <a href="/versions/v16/assets/A0003"> A0003 </a> </td> <td> <a href="/versions/v16/assets/A0003"> Programmable Logic Controller (PLC) </a> </td> </tr> <tr> <td> <a href="/versions/v16/assets/A0004"> A0004 </a> </td> <td> <a href="/versions/v16/assets/A0004"> Remote Terminal Unit (RTU) </a> </td> </tr> <tr> <td> <a href="/versions/v16/assets/A0010"> A0010 </a> </td> <td> <a href="/versions/v16/assets/A0010"> Safety Controller </a> </td> </tr> <tr> <td> <a href="/versions/v16/assets/A0011"> A0011 </a> </td> <td> <a href="/versions/v16/assets/A0011"> Virtual Private Network (VPN) Server </a> </td> </tr> <tr> <td> <a href="/versions/v16/assets/A0001"> A0001 </a> </td> <td> <a href="/versions/v16/assets/A0001"> Workstation </a> </td> </tr> </tbody> </table> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Mitigation</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v16/mitigations/M0801"> M0801 </a> </td> <td> <a href="/versions/v16/mitigations/M0801"> Access Management </a> </td> <td> <p>Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.</p> </td> </tr> <tr> <td> <a href="/versions/v16/mitigations/M0936"> M0936 </a> </td> <td> <a href="/versions/v16/mitigations/M0936"> Account Use Policies </a> </td> <td> <p>Configure features related to account use like login attempt lockouts, specific login times, and password strength requirements as examples. Consider these features as they relate to assets which may impact safety and availability. <span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 "data-reference="Keith Stouffer May 2015"><sup><a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/mitigations/M0915"> M0915 </a> </td> <td> <a href="/versions/v16/mitigations/M0915"> Active Directory Configuration </a> </td> <td> <p>Consider configuration and use of a network-wide authentication service such as Active Directory, LDAP, or RADIUS capabilities which can be found in ICS devices. <span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 "data-reference="Keith Stouffer May 2015"><sup><a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a></sup></span> <span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Schweitzer Engineering Laboratories 2015, August Understanding When to Use LDAP or RADIUS for Centralized Authentication Retrieved. 2020/09/25 "data-reference="Schweitzer Engineering Laboratories August 2015"><sup><a href="https://cdn.selinc.com/assets/Literature/Publications/Application%20Notes/AN2015-08_20150817.pdf?" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/mitigations/M0913"> M0913 </a> </td> <td> <a href="/versions/v16/mitigations/M0913"> Application Developer Guidance </a> </td> <td> <p>Ensure that applications and devices do not store sensitive data or credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage). <span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="CISA 2013, June Risks of Default Passwords on the Internet Retrieved. 2020/09/25 "data-reference="CISA June 2013"><sup><a href="https://us-cert.cisa.gov/ncas/alerts/TA13-175A" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/mitigations/M0947"> M0947 </a> </td> <td> <a href="/versions/v16/mitigations/M0947"> Audit </a> </td> <td> <p>Routinely audit source code, application configuration files, open repositories, and public cloud storage for insecure use and storage of credentials.</p> </td> </tr> <tr> <td> <a href="/versions/v16/mitigations/M0937"> M0937 </a> </td> <td> <a href="/versions/v16/mitigations/M0937"> Filter Network Traffic </a> </td> <td> <p>Consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen credentials to access data.</p> </td> </tr> <tr> <td> <a href="/versions/v16/mitigations/M0932"> M0932 </a> </td> <td> <a href="/versions/v16/mitigations/M0932"> Multi-factor Authentication </a> </td> <td> <p>Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining access to valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.</p> </td> </tr> <tr> <td> <a href="/versions/v16/mitigations/M0927"> M0927 </a> </td> <td> <a href="/versions/v16/mitigations/M0927"> Password Policies </a> </td> <td> <p>Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. <span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="CISA 2013, June Risks of Default Passwords on the Internet Retrieved. 2020/09/25 "data-reference="CISA June 2013"><sup><a href="https://us-cert.cisa.gov/ncas/alerts/TA13-175A" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/mitigations/M0926"> M0926 </a> </td> <td> <a href="/versions/v16/mitigations/M0926"> Privileged Account Management </a> </td> <td> <p>Audit domain and local accounts and their permission levels routinely to look for situations that could allow an adversary to gain system wide access with stolen privileged account credentials. <span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Microsoft 2017, May Attractive Accounts for Credential Theft Retrieved. 2020/09/25 "data-reference="Microsoft May 2017"><sup><a href="https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/attractive-accounts-for-credential-theft" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a></sup></span> <span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Microsoft 2018, August Implementing Least-Privilege Administrative Models Retrieved. 2020/09/25 "data-reference="Microsoft August 2018"><sup><a href="https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a></sup></span>These audits should also identify if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. <span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Microsoft 2019, February Active Directory administrative tier model Retrieved. 2020/09/25 "data-reference="Microsoft February 2019"><sup><a href="https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/mitigations/M0918"> M0918 </a> </td> <td> <a href="/versions/v16/mitigations/M0918"> User Account Management </a> </td> <td> <p>Ensure users and user groups have appropriate permissions for their roles through Identity and Access Management (IAM) controls. Implement strict IAM controls to prevent access to systems except for the applications, users, and services that require access. Implement user accounts for each individual for enforcement and non-repudiation of actions.</p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="detection">Detection</h2> <div class="tables-mobile"> <table class="table datasources-table table-bordered"> <thead> <tr> <th class="p-2" scope="col">ID</th> <th class="p-2 nowrap" scope="col">Data Source</th> <th class="p-2 nowrap" scope="col">Data Component</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="datasource" id="uses-DS0028"> <td> <a href="/versions/v16/datasources/DS0028">DS0028</a> </td> <td class="nowrap"> <a href="/versions/v16/datasources/DS0028">Logon Session</a> </td>  <td> <a href="/datasources/DS0028/#Logon%20Session%20Creation">Logon Session Creation</a> </td> <td> <p>Monitor for logon behavior that may abuse credentials of existing accounts as a means of gaining Lateral Movement or Persistence. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). </p> </td> </tr> <tr class="datacomponent datasource" id="uses-DS0028-Logon Session Metadata"> <td></td> <td></td> <td> <a href="/datasources/DS0028/#Logon%20Session%20Metadata">Logon Session Metadata</a> </td> <td> <p>Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.</p> </td> </tr> <tr class="datasource" id="uses-DS0002"> <td> <a href="/versions/v16/datasources/DS0002">DS0002</a> </td> <td class="nowrap"> <a href="/versions/v16/datasources/DS0002">User Account</a> </td>  <td> <a href="/datasources/DS0002/#User%20Account%20Authentication">User Account Authentication</a> </td> <td> <p>Monitor for an authentication attempt by a user that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.</p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank"> Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" target="_blank"> Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank"> Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://dragos.com/resource/allanite/" target="_blank"> Dragos Allanite Retrieved. 2019/10/27 </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" target="_blank"> DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" target="_blank"> Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-TRITON-and-tristation.html" target="_blank"> Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved January 6, 2021. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="8.0"> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" target="_blank"> Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://cdn.selinc.com/assets/Literature/Publications/Application%20Notes/AN2015-08_20150817.pdf?" target="_blank"> Schweitzer Engineering Laboratories 2015, August Understanding When to Use LDAP or RADIUS for Centralized Authentication Retrieved. 2020/09/25 </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://us-cert.cisa.gov/ncas/alerts/TA13-175A" target="_blank"> CISA 2013, June Risks of Default Passwords on the Internet Retrieved. 2020/09/25 </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/attractive-accounts-for-credential-theft" target="_blank"> Microsoft 2017, May Attractive Accounts for Credential Theft Retrieved. 2020/09/25 </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models" target="_blank"> Microsoft 2018, August Implementing Least-Privilege Administrative Models Retrieved. 2020/09/25 </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach" target="_blank"> Microsoft 2019, February Active Directory administrative tier model Retrieved. 2020/09/25 </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div>   <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1">  <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v16/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/versions/v16/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v16.1Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div>  </div>  <script src="/versions/v16/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v16/theme/scripts/popper.min.js"></script> <script src="/versions/v16/theme/scripts/bootstrap-select.min.js"></script> <script src="/versions/v16/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v16/theme/scripts/site.js"></script> <script src="/versions/v16/theme/scripts/settings.js"></script> <script src="/versions/v16/theme/scripts/search_bundle.js"></script>  <script src="/versions/v16/theme/scripts/resizer.js"></script>  <script src="/versions/v16/theme/scripts/bootstrap-tourist.js"></script> <script src="/versions/v16/theme/scripts/settings.js"></script> <script src="/versions/v16/theme/scripts/tour/tour-techniques.js"></script> <script src="/versions/v16/theme/scripts/sidebar-load-all.js"></script> </body> </html>

CINXE.COM

Valid Accounts, Technique T0859 - ICS | MITRE ATT&CK®