T1098: Account Manipulation
| View on MITRE ATT&CK | T1098 |
|---|---|
| Tactic(s) | Persistence, Privilege Escalation |
Data from MITRE ATT&CK®:
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.
In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged Valid Accounts.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day
Reporting from Mandiant which discusses the exploitation of Pulse Secure VPN devices in 2021 and 12 malware families associated with the campaign. ...
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
Threat Assessment: Black Basta Ransomware
This threat assessment from Palo Alto's Unit 42 describes the Black Basta 'Ransomware as a Service' operation including TTPs (tactics, techniques ...
Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally
This Cybersecurity Advisory by CISA with US and international partners outlines activity which they link to APT29 (also known as The Dukes, Cozy ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Network Segmentation
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services...Multi-factor Authentication
Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.User Account Management
Manage the creation, modification, use, and permissions associated to user accounts.Operating System Configuration
Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.How to detect this technique
MITRE ATT&CK Data Components
Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Active Directory Object Modification (Active Directory)
Changes made to an active directory object (ex: Windows EID 5163 or 5136)Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Group Modification (Group)
Changes made to a group, such as membership, name, or permissions (ex: Windows EID 4728 or 4732, AWS IAM UpdateGroup)User Account Modification (User Account)
Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)File Modification (File)
Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
GCP - Delete Service Account Key
Domain Password Policy Check: No Uppercase Character in Password
Admin Account Manipulate
Domain Password Policy Check: No Special Character in Password
Domain Account and Group Manipulate
Azure AD - adding permission to application
Azure AD - adding user to Azure AD role
AWS - Create a group and add a user to that group
Azure - adding service principal to Azure role in subscription
Azure - adding user to Azure role in subscription
Domain Password Policy Check: No Lowercase Character in Password
Domain Password Policy Check: Only Two Character Classes
Domain Password Policy Check: Short Password
Domain Password Policy Check: No Number in Password
Azure AD - adding service principal to Azure AD role
Domain Password Policy Check: Common Password Use
Password Change on Directory Service Restore Mode (DSRM) Account
Sigma Detections for this Technique
Number Of Resource Creation Or Deployment Activities
Bitbucket Global Permission Changed
Change to Authentication Method
Cisco Local Accounts
Enabled User Right in AD to Control User Objects
User Added to Local Administrator Group
Powershell LocalAccount Manipulation
Password Change on Directory Service Restore Mode (DSRM) Account
AWS Route 53 Domain Transferred to Another Account
Google Workspace Granted Domain API Access
A New Trust Was Created To A Domain
Google Workspace User Granted Admin Privileges
Powerview Add-DomainObjectAcl DCSync AD Extend Right
GCP Access Policy Deleted
Anomalous User Activity
AWS Route 53 Domain Transfer Lock Disabled
Privileged User Has Been Created
User Added To Highly Privileged Group
AWS User Login Profile Was Modified
A Member Was Added to a Security-Enabled Global Group
A Security-Enabled Global Group Was Deleted
User Added to Local Administrators Group
Bulk Deletion Changes To Privileged Account Permissions
A Member Was Removed From a Security-Enabled Global Group
AWS IAM Backdoor Users Keys
Active Directory User Backdoors
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.