EXPLORE
Sign In
← Back to Explore
T1098

Account Manipulation

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compro...

ContainersESXiIaaSIdentity ProviderLinuxmacOSNetwork DevicesOffice SuiteSaaSWindows
213
Detections
5
Sources
4
Threat Actors

BY SOURCE

141elastic31sigma29splunk_escu7crowdstrike_cql5kql

PROCEDURES (93)

Privilege19 detections

Auto-extracted: 19 detections for privilege

General Monitoring12 detections

Auto-extracted: 12 detections for general monitoring

Persist8 detections

Auto-extracted: 8 detections for persist

Unusual7 detections

Auto-extracted: 7 detections for unusual

Cloud7 detections

Auto-extracted: 7 detections for cloud

Azure7 detections

Auto-extracted: 7 detections for azure

Api5 detections

Auto-extracted: 5 detections for api

Process Creation Monitoring5 detections

Auto-extracted: 5 detections for process creation monitoring

Credential4 detections

Auto-extracted: 4 detections for credential

Service4 detections

Auto-extracted: 4 detections for service

Authentication Monitoring4 detections

Auto-extracted: 4 detections for authentication monitoring

Aws3 detections

Auto-extracted: 3 detections for aws

Kerbero3 detections

Auto-extracted: 3 detections for kerbero

Event Log3 detections

Auto-extracted: 3 detections for event log

Api3 detections

Auto-extracted: 3 detections for api

Aws3 detections

Auto-extracted: 3 detections for aws

C23 detections

Auto-extracted: 3 detections for c2

Phish3 detections

Auto-extracted: 3 detections for phish

Bypass3 detections

Auto-extracted: 3 detections for bypass

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Persist3 detections

Auto-extracted: 3 detections for persist

Kubernetes2 detections

Auto-extracted: 2 detections for kubernetes

Lateral2 detections

Auto-extracted: 2 detections for lateral

Dcsync2 detections

Auto-extracted: 2 detections for dcsync

Container2 detections

Auto-extracted: 2 detections for container

Oauth2 detections

Auto-extracted: 2 detections for oauth

Azure2 detections

Auto-extracted: 2 detections for azure

Token2 detections

Auto-extracted: 2 detections for token

Azure2 detections

Auto-extracted: 2 detections for azure

Phish2 detections

Auto-extracted: 2 detections for phish

Saml2 detections

Auto-extracted: 2 detections for saml

Unusual2 detections

Auto-extracted: 2 detections for unusual

Kubernetes2 detections

Auto-extracted: 2 detections for kubernetes

Lateral2 detections

Auto-extracted: 2 detections for lateral

Privilege1 detections

Auto-extracted: 1 detections for privilege

Dns1 detections

Auto-extracted: 1 detections for dns

Api1 detections

Auto-extracted: 1 detections for api

Credential1 detections

Auto-extracted: 1 detections for credential

Anomal1 detections

Auto-extracted: 1 detections for anomal

Service1 detections

Auto-extracted: 1 detections for service

Event Log1 detections

Auto-extracted: 1 detections for event log

Api1 detections

Auto-extracted: 1 detections for api

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

C21 detections

Auto-extracted: 1 detections for c2

Persist1 detections

Auto-extracted: 1 detections for persist

Powershell1 detections

Auto-extracted: 1 detections for powershell

Unusual1 detections

Auto-extracted: 1 detections for unusual

Dns1 detections

Auto-extracted: 1 detections for dns

Service1 detections

Auto-extracted: 1 detections for service

Unusual1 detections

Auto-extracted: 1 detections for unusual

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Bypass1 detections

Auto-extracted: 1 detections for bypass

Bypass1 detections

Auto-extracted: 1 detections for bypass

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Dns1 detections

Auto-extracted: 1 detections for dns

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Token1 detections

Auto-extracted: 1 detections for token

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Unusual1 detections

Auto-extracted: 1 detections for unusual

Azure1 detections

Auto-extracted: 1 detections for azure

Remote1 detections

Auto-extracted: 1 detections for remote

Powershell1 detections

Auto-extracted: 1 detections for powershell

Bypass1 detections

Auto-extracted: 1 detections for bypass

Token1 detections

Auto-extracted: 1 detections for token

Persist1 detections

Auto-extracted: 1 detections for persist

Credential1 detections

Auto-extracted: 1 detections for credential

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Azure1 detections

Auto-extracted: 1 detections for azure

Email1 detections

Auto-extracted: 1 detections for email

Cloud1 detections

Auto-extracted: 1 detections for cloud

Cloud1 detections

Auto-extracted: 1 detections for cloud

Remote1 detections

Auto-extracted: 1 detections for remote

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Oauth1 detections

Auto-extracted: 1 detections for oauth

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Container1 detections

Auto-extracted: 1 detections for container

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Email1 detections

Auto-extracted: 1 detections for email

Phish1 detections

Auto-extracted: 1 detections for phish

Service1 detections

Auto-extracted: 1 detections for service

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Remote1 detections

Auto-extracted: 1 detections for remote

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Privilege1 detections

Auto-extracted: 1 detections for privilege

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Service1 detections

Auto-extracted: 1 detections for service

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Powershell1 detections

Auto-extracted: 1 detections for powershell

Privilege1 detections

Auto-extracted: 1 detections for privilege

THREAT ACTORS (4)

HAFNIUMLazarus GroupScattered SpiderVOID MANTICORE

DETECTIONS (213)

A Member Was Added to a Security-Enabled Global Group
sigmalow
A Member Was Removed From a Security-Enabled Global Group
sigmalow
A New Trust Was Created To A Domain
sigmamedium
A Security-Enabled Global Group Was Deleted
sigmalow
Account Configured with Never-Expiring Password
elasticmedium
Account Password Reset Remotely
elasticmedium
Active Directory Activity
crowdstrike_cql
Active Directory Activity
crowdstrike_cql
Active Directory Group Modification by SYSTEM
elasticmedium
Active Directory User Backdoors
sigmahigh
Administrator Privileges Assigned to an Okta Group
elasticmedium
AdminSDHolder Backdoor
elastichigh
AdminSDHolder SDProp Exclusion Added
elastichigh
Anomalous User Activity
sigmahigh
Application Added to Google Workspace Domain
elasticmedium
ASL AWS IAM Delete Policy
splunk_escu
ASL AWS IAM Failure Group Deletion
splunk_escu
ASL AWS IAM Successful Group Deletion
splunk_escu
Attempt to Create Okta API Token
elasticmedium
Attempt to Reset MFA Factors for an Okta User Account
elasticlow
AWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization
elasticmedium
AWS EC2 Instance Connect SSH Public Key Uploaded
elasticmedium
AWS EKS Access Entry Granted Cluster Admin Policy
elastichigh
AWS EKS Access Entry Modified
elasticmedium
AWS First Occurrence of STS GetFederationToken Request by User
elasticmedium
AWS IAM AdministratorAccess Policy Attached to Group
elasticmedium
AWS IAM AdministratorAccess Policy Attached to Role
elasticmedium
AWS IAM AdministratorAccess Policy Attached to User
elasticmedium
AWS IAM API Calls via Temporary Session Tokens
elasticlow
AWS IAM Assume Role Policy Update
elasticlow
AWS IAM Backdoor Users Keys
sigmamedium
AWS IAM Customer Managed Policy Version Created or Default Version Set
elasticmedium
AWS IAM Customer-Managed Policy Attached to Role by Rare User
elasticlow
AWS IAM Delete Policy
splunk_escu
AWS IAM Failure Group Deletion
splunk_escu
AWS IAM Login Profile Added for Root
elastichigh
AWS IAM Roles Anywhere Profile Creation
elasticlow
AWS IAM Roles Anywhere Trust Anchor Created with External CA
elasticmedium
AWS IAM SAML Provider Created
elasticmedium
AWS IAM Sensitive Operations via Lambda Execution Role
elastichigh
AWS IAM Successful Group Deletion
splunk_escu
AWS IAM User Addition to Group
elasticlow
AWS IAM User Created Access Keys For Another User
elasticmedium
AWS IAM Virtual MFA Device Registration Attempt with Session Token
elasticmedium
AWS RDS DB Instance or Cluster Password Modified
elasticmedium
AWS Route 53 Domain Transfer Lock Disabled
elastichigh
AWS Route 53 Domain Transfer Lock Disabled
sigmalow
AWS Route 53 Domain Transferred to Another Account
sigmalow
AWS Route 53 Domain Transferred to Another Account
elastichigh
AWS Route 53 Private Hosted Zone Associated With a VPC
elasticmedium
AWS S3 Bucket Policy Added to Share with External Account
elasticmedium
AWS Sensitive IAM Operations Performed via CloudShell
elasticmedium
AWS STS AssumeRoot by Rare User and Member Account
elasticmedium
AWS User Login Profile Was Modified
sigmahigh
Azure AD Service Principal Owner Added
splunk_escu
Azure AD User Enabled And Password Reset
splunk_escu
Azure AD User ImmutableId Attribute Updated
splunk_escu
Azure Event Hub Authorization Rule Created or Updated
elasticmedium
Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created
elasticlow
Azure RBAC Built-In Administrator Roles Assigned
elastichigh
Azure Storage Account Key Regenerated
elasticlow
Azure VM Extension Deployment by User
elasticmedium
Bitbucket Global Permission Changed
sigmamedium
Bulk Deletion Changes To Privileged Account Permissions
sigmahigh
Change to Authentication Method
sigmamedium
Cisco ASA - User Privilege Level Change
splunk_escu
Cisco Configuration Archive Logging Analysis
splunk_escu
Cisco Local Accounts
sigmahigh
Commandline Group Addition
kql
Created Local User Accounts
crowdstrike_cql
Created Local User Accounts
crowdstrike_cql
CyberArk Privileged Access Security Recommended Monitor
elastichigh
Delegated Managed Service Account Modification by an Unusual User
elastichigh
Deleted Local User Accounts
crowdstrike_cql
Deleted Local User Accounts
crowdstrike_cql
Deprecated - M365 Teams Guest Access Enabled
elasticmedium
Detect when an account has been changed in order for the password to never expire
kql
dMSA Account Creation by an Unusual User
elastichigh
DMSA Link Attributes Modified
sigmalow
DMSA Service Account Created in Specific OUs - PowerShell
sigmamedium
EKS Authentication Configuration Modified
elastichigh
Enabled User Right in AD to Control User Objects
sigmahigh
Entra ID ADRS Token Request by Microsoft Authentication Broker
elasticmedium
Entra ID Application Credential Modified
elasticmedium
Entra ID Device Registration with ROADtools Default OS Build
elasticmedium
Entra ID Device with ROADtools Default OS Build (Entity Analytics)
elasticmedium
Entra ID Domain Federation Configuration Change
elastichigh
Entra ID Elevated Access to User Access Administrator
elastichigh
Entra ID Federated Identity Credential Issuer Modified
elastichigh
Entra ID Global Administrator Role Assigned
elastichigh
Entra ID Global Administrator Role Assigned (PIM User)
elastichigh
Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN
elastichigh
Entra ID OAuth PRT Issuance to Non-Managed Device Detected
elasticmedium
Entra ID Privileged Identity Management (PIM) Role Modified
elasticmedium
Entra ID Protection User Alert and Device Registration
elastichigh
Entra ID Register Device with Unusual User Agent (Azure AD Join)
elasticmedium
Entra ID Service Principal Credentials Created by Unusual User
elasticmedium
Entra ID Service Principal Federated Credential Authentication by Unusual Client
elasticmedium
Entra ID Sharepoint or OneDrive Accessed by Unusual Client
elasticmedium
Entra ID Unusual Cloud Device Registration
elasticmedium
Entra ID User Added as Registered Application Owner
elasticlow
Entra ID User Added as Service Principal Owner
elasticlow
Entra ID User Sign-in with Unusual Non-Managed Device
elasticlow
ESXi Account Modified
splunk_escu
ESXi Admin Permission Assigned To Account Via ESXCLI
sigmahigh
ESXi User Granted Admin Role
splunk_escu
External User Added to Google Workspace Group
elasticmedium
GCP Access Policy Deleted
sigmamedium
GCP IAM Custom Role Creation
elasticmedium
GCP IAM Service Account Key Deletion
elasticlow
GCP Service Account Key Creation
elasticlow
GCP Storage Bucket Permissions Modification
elasticmedium
GitHub Owner Role Granted To User
elasticmedium
Google Workspace Admin Role Assigned to a User
elastichigh
Google Workspace API Access Granted via Domain-Wide Delegation
elasticmedium
Google Workspace Custom Admin Role Created
elasticmedium
Google Workspace Device Registration After OAuth from Suspicious ASN
elastichigh
Google Workspace Device Registration Burst for Single User
elasticmedium
Google Workspace Granted Domain API Access
sigmamedium
Google Workspace Object Copied to External Drive with App Consent
elasticmedium
Google Workspace Password Policy Modified
elasticmedium
Google Workspace Role Modified
elasticmedium
Google Workspace Suspended User Account Renewed
elasticlow
Google Workspace User Granted Admin Privileges
sigmamedium
Google Workspace User Organizational Unit Changed
elasticlow
Google Workspace User Sign-in from Atypical Device Type
elasticmedium
Kerberos Pre-authentication Disabled for User
elasticmedium
KRBTGT Delegation Backdoor
elastichigh
Kubernetes Client Certificate Signing Request Created or Approved
elastichigh
Kubernetes Cluster-Admin Role Binding Created
elasticmedium
Kubernetes Creation of a RoleBinding Referencing a ServiceAccount
elasticmedium
Kubernetes Creation or Modification of Sensitive Role
elasticmedium
Kubernetes RBAC Wildcard Elevation on Existing Role
elastichigh
Kubernetes Sensitive RBAC Change Followed by Workload Modification
elasticmedium
Kubernetes Service Account Modified RBAC Objects
elasticmedium
Linux Group Creation
elasticlow
Linux User Account Credential Modification
elasticmedium
Linux User Added to Privileged Group
elasticlow
List *.All MS Graph Permissions Added
kql
List MS Graph Mail Permissions Added
kql
M365 Exchange Mailbox Audit Logging Bypass Added
elasticmedium
M365 Exchange Mailbox High-Risk Permission Delegated
elasticlow
M365 Exchange Management Group Role Assigned
elasticmedium
M365 Exchange MFA Notification Email Deleted or Moved
elasticlow
M365 Identity Global Administrator Role Assigned
elasticmedium
M365 Identity OAuth Flow by User Sign-in to Device Registration
elastichigh
M365 Identity OAuth Illicit Consent Grant by Rare Client and User
elasticmedium
M365 SharePoint Site Administrator Added
elasticmedium
Modification of the msPKIAccountCredentials
elasticmedium
New ActiveSyncAllowedDeviceID Added via PowerShell
elasticmedium
New DMSA Service Account Created in Specific OUs
sigmamedium
New GitHub App Installed
elasticmedium
New GitHub Owner Added
elasticmedium
New GitHub Personal Access Token (PAT) Added
elasticlow
Number Of Resource Creation Or Deployment Activities
sigmamedium
O365 Application Registration Owner Added
splunk_escu
Okta User Assigned Administrator Role
elasticmedium
OpenSSL Password Hash Generation
elasticmedium
Password change after succesful brute force
kql
Password Change on Directory Service Restore Mode (DSRM) Account
sigmahigh
Password Set to Never Expire via WMI
sigmamedium
Pod or Container Creation with Suspicious Command-Line
elasticmedium
Potential Active Directory Replication Account Backdoor
elasticmedium
Potential Admin Group Account Addition
elasticmedium
Potential Linux Backdoor User Account Creation
elastichigh
Potential Persistence via File Modification
elasticlow
Potential Privileged Escalation via SamAccountName Spoofing
elastichigh
Potential Shadow Credentials added to AD Object
elastichigh
Potential Suspicious File Edit
elasticlow
Powershell LocalAccount Manipulation
sigmamedium
Powerview Add-DomainObjectAcl DCSync AD Extend Right
sigmahigh
Privileged User Has Been Created
sigmahigh
Remote Computer Account DnsHostName Update
elastichigh
Security Group Created (Microsoft Defender for Identity)
crowdstrike_cql
Sensitive Privilege SeEnableDelegationPrivilege assigned to a Principal
elastichigh
Shadow File Modification by Unusual Process
elasticlow
Spike in Group Application Assignment Change Events
elasticlow
Spike in Group Lifecycle Change Events
elasticlow
Spike in Group Management Events
elasticlow
Spike in Group Membership Events
elasticlow
Spike in Group Privilege Change Events
elasticlow
Spike in User Account Management Events
elasticlow
Spike in User Lifecycle Management Change Events
elasticlow
SSH Authorized Key File Activity Detected via Defend for Containers
elasticmedium
SSH Authorized Keys File Activity
elasticmedium
SSH Key Generated via ssh-keygen
elasticlow
Suspicious Echo or Printf Execution Detected via Defend for Containers
elastichigh
Unusual Group Name Accessed by a User
elasticlow
Unusual Kubernetes Sensitive Workload Modification
elasticlow
Unusual Login via System User
elasticmedium
Unusual Privilege Type assigned to a User
elasticlow
User account exposed to Kerberoasting
elasticmedium
User Added To Highly Privileged Group
sigmahigh
User Added to Local Administrator Group
sigmamedium
User Added to Local Administrators Group
sigmamedium
User Added to Privileged Group in Active Directory
elasticmedium
User Added to the Admin Group
elasticlow
User or Group Creation/Modification
elasticlow
Windows AD add Self to Group
splunk_escu
Windows AD DSRM Account Changes
splunk_escu