EXPLORE
← Back to Explore
T1098

Account Manipulation

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compro...

ContainersESXiIaaSIdentity ProviderLinuxmacOSNetwork DevicesOffice SuiteSaaSWindows
229
Detections
5
Sources
4
Threat Actors

BY SOURCE

157elastic31sigma29splunk_escu7crowdstrike_cql5kql

PROCEDURES (93)

Privilege20 detections

Auto-extracted: 20 detections for privilege

General Monitoring11 detections

Auto-extracted: 11 detections for general monitoring

Aws9 detections

Auto-extracted: 9 detections for aws

Unusual7 detections

Auto-extracted: 7 detections for unusual

Azure7 detections

Auto-extracted: 7 detections for azure

Cloud6 detections

Auto-extracted: 6 detections for cloud

Phish6 detections

Auto-extracted: 6 detections for phish

Persist6 detections

Auto-extracted: 6 detections for persist

Process Creation Monitoring5 detections

Auto-extracted: 5 detections for process creation monitoring

Credential4 detections

Auto-extracted: 4 detections for credential

Phish3 detections

Auto-extracted: 3 detections for phish

Authentication Monitoring3 detections

Auto-extracted: 3 detections for authentication monitoring

Event Log3 detections

Auto-extracted: 3 detections for event log

Api3 detections

Auto-extracted: 3 detections for api

Aws3 detections

Auto-extracted: 3 detections for aws

Persist3 detections

Auto-extracted: 3 detections for persist

C23 detections

Auto-extracted: 3 detections for c2

Service3 detections

Auto-extracted: 3 detections for service

Bypass3 detections

Auto-extracted: 3 detections for bypass

Api2 detections

Auto-extracted: 2 detections for api

Kubernetes2 detections

Auto-extracted: 2 detections for kubernetes

Persist2 detections

Auto-extracted: 2 detections for persist

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Token2 detections

Auto-extracted: 2 detections for token

Lateral2 detections

Auto-extracted: 2 detections for lateral

Unusual2 detections

Auto-extracted: 2 detections for unusual

Bypass2 detections

Auto-extracted: 2 detections for bypass

Aws2 detections

Auto-extracted: 2 detections for aws

Saml2 detections

Auto-extracted: 2 detections for saml

Lateral2 detections

Auto-extracted: 2 detections for lateral

Oauth2 detections

Auto-extracted: 2 detections for oauth

Azure2 detections

Auto-extracted: 2 detections for azure

Token2 detections

Auto-extracted: 2 detections for token

Azure2 detections

Auto-extracted: 2 detections for azure

Persist2 detections

Auto-extracted: 2 detections for persist

Container2 detections

Auto-extracted: 2 detections for container

Dcsync2 detections

Auto-extracted: 2 detections for dcsync

Kubernetes2 detections

Auto-extracted: 2 detections for kubernetes

Credential1 detections

Auto-extracted: 1 detections for credential

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Persist1 detections

Auto-extracted: 1 detections for persist

Remote1 detections

Auto-extracted: 1 detections for remote

Unusual1 detections

Auto-extracted: 1 detections for unusual

Credential1 detections

Auto-extracted: 1 detections for credential

Dns1 detections

Auto-extracted: 1 detections for dns

Dns1 detections

Auto-extracted: 1 detections for dns

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Service1 detections

Auto-extracted: 1 detections for service

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

C21 detections

Auto-extracted: 1 detections for c2

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Oauth1 detections

Auto-extracted: 1 detections for oauth

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Service1 detections

Auto-extracted: 1 detections for service

Api1 detections

Auto-extracted: 1 detections for api

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Privilege1 detections

Auto-extracted: 1 detections for privilege

Email1 detections

Auto-extracted: 1 detections for email

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Token1 detections

Auto-extracted: 1 detections for token

Remote1 detections

Auto-extracted: 1 detections for remote

Azure1 detections

Auto-extracted: 1 detections for azure

Remote1 detections

Auto-extracted: 1 detections for remote

Privilege1 detections

Auto-extracted: 1 detections for privilege

Kubernetes1 detections

Auto-extracted: 1 detections for kubernetes

Container1 detections

Auto-extracted: 1 detections for container

Bypass1 detections

Auto-extracted: 1 detections for bypass

Service1 detections

Auto-extracted: 1 detections for service

Bypass1 detections

Auto-extracted: 1 detections for bypass

Credential1 detections

Auto-extracted: 1 detections for credential

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Azure1 detections

Auto-extracted: 1 detections for azure

Email1 detections

Auto-extracted: 1 detections for email

Cloud1 detections

Auto-extracted: 1 detections for cloud

Cloud1 detections

Auto-extracted: 1 detections for cloud

Powershell1 detections

Auto-extracted: 1 detections for powershell

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Phish1 detections

Auto-extracted: 1 detections for phish

Powershell1 detections

Auto-extracted: 1 detections for powershell

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Privilege1 detections

Auto-extracted: 1 detections for privilege

Anomal1 detections

Auto-extracted: 1 detections for anomal

Unusual1 detections

Auto-extracted: 1 detections for unusual

Unusual1 detections

Auto-extracted: 1 detections for unusual

Unusual1 detections

Auto-extracted: 1 detections for unusual

Oauth1 detections

Auto-extracted: 1 detections for oauth

Api1 detections

Auto-extracted: 1 detections for api

Credential1 detections

Auto-extracted: 1 detections for credential

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

DETECTIONS (229)

A Member Was Added to a Security-Enabled Global Group
sigmalow
A Member Was Removed From a Security-Enabled Global Group
sigmalow
A New Trust Was Created To A Domain
sigmamedium
A Security-Enabled Global Group Was Deleted
sigmalow
Account Configured with Never-Expiring Password
elasticmedium
Account Password Reset Remotely
elasticmedium
Active Directory Activity
crowdstrike_cql
Active Directory Activity
crowdstrike_cql
Active Directory Group Modification by SYSTEM
elasticmedium
Active Directory User Backdoors
sigmahigh
Administrator Privileges Assigned to an Okta Group
elasticmedium
AdminSDHolder Backdoor
elastichigh
AdminSDHolder SDProp Exclusion Added
elastichigh
Anomalous User Activity
sigmahigh
Application Added to Google Workspace Domain
elastichigh
ASL AWS IAM Delete Policy
splunk_escu
ASL AWS IAM Failure Group Deletion
splunk_escu
ASL AWS IAM Successful Group Deletion
splunk_escu
Attempt to Create Okta API Token
elasticmedium
Attempt to Reset MFA Factors for an Okta User Account
elasticlow
AWS Bedrock Foundation Model Access Enabled or Entitlement Granted
elasticmedium
AWS Bedrock Resource-Based Policy Modified or Deleted
elasticmedium
AWS Bedrock Unauthorized Foundation Model Access Attempt
elasticlow
AWS Bedrock Unauthorized Resource-Based Policy Modification Attempt
elasticlow
AWS EC2 CreateKeyPair by New Principal from Non-Cloud AS Organization
elastichigh
AWS EC2 Instance Connect SSH Public Key Uploaded
elastichigh
AWS EKS Access Entry Granted Cluster Admin Policy
elastichigh
AWS EKS Access Entry Modified
elasticmedium
AWS First Occurrence of STS GetFederationToken Request by User
elastichigh
AWS IAM AdministratorAccess Policy Attached to Group
elasticmedium
AWS IAM AdministratorAccess Policy Attached to Role
elasticmedium
AWS IAM AdministratorAccess Policy Attached to User
elastichigh
AWS IAM API Calls via Temporary Session Tokens
elastichigh
AWS IAM Assume Role Policy Update
elasticlow
AWS IAM Backdoor Users Keys
sigmamedium
AWS IAM Credentials Added to a Bedrock API Key Phantom User
elastichigh
AWS IAM Customer Managed Policy Version Created or Default Version Set
elasticmedium
AWS IAM Customer-Managed Policy Attached to Role by Rare User
elasticlow
AWS IAM Delete Policy
splunk_escu
AWS IAM Failure Group Deletion
splunk_escu
AWS IAM Inline Policy Added to a Group
elasticmedium
AWS IAM Login Profile Added for Root
elastichigh
AWS IAM Login Profile Created or Modified for an IAM User
elasticmedium
AWS IAM Permissions Boundary Modified or Removed
elasticmedium
AWS IAM Roles Anywhere Profile Creation
elastichigh
AWS IAM Roles Anywhere Trust Anchor Created with External CA
elasticmedium
AWS IAM SAML Provider Created
elastichigh
AWS IAM Sensitive Operations via Lambda Execution Role
elastichigh
AWS IAM Successful Group Deletion
splunk_escu
AWS IAM User Addition to Group
elasticlow
AWS IAM User Created Access Keys For Another User
elastichigh
AWS IAM Virtual MFA Device Registration Attempt with Session Token
elastichigh
AWS RDS DB Instance or Cluster Password Modified
elasticmedium
AWS Route 53 Domain Transfer Lock Disabled
sigmalow
AWS Route 53 Domain Transfer Lock Disabled
elastichigh
AWS Route 53 Domain Transferred to Another Account
elastichigh
AWS Route 53 Domain Transferred to Another Account
sigmalow
AWS Route 53 Private Hosted Zone Associated With a VPC
elasticmedium
AWS S3 Bucket Policy Added to Share with External Account
elasticmedium
AWS Sensitive IAM Operations Performed via CloudShell
elastichigh
AWS STS AssumeRoot by Rare User and Member Account
elastichigh
AWS User Login Profile Was Modified
sigmahigh
Azure AD Service Principal Owner Added
splunk_escu
Azure AD User Enabled And Password Reset
splunk_escu
Azure AD User ImmutableId Attribute Updated
splunk_escu
Azure Event Hub Authorization Rule Created or Updated
elasticmedium
Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created
elasticlow
Azure RBAC Built-In Administrator Roles Assigned
elastichigh
Azure Storage Account Key Regenerated
elasticlow
Azure VM Extension Deployment by User
elasticmedium
Bitbucket Global Permission Changed
sigmamedium
Bulk Deletion Changes To Privileged Account Permissions
sigmahigh
Change to Authentication Method
sigmamedium
Cisco ASA - User Privilege Level Change
splunk_escu
Cisco Configuration Archive Logging Analysis
splunk_escu
Cisco Local Accounts
sigmahigh
Commandline Group Addition
kql
Created Local User Accounts
crowdstrike_cql
Created Local User Accounts
crowdstrike_cql
CyberArk Privileged Access Security Recommended Monitor
elastichigh
Delegated Managed Service Account Modification by an Unusual User
elastichigh
Deleted Local User Accounts
crowdstrike_cql
Deleted Local User Accounts
crowdstrike_cql
Deprecated - M365 Teams Guest Access Enabled
elasticmedium
Detect when an account has been changed in order for the password to never expire
kql
dMSA Account Creation by an Unusual User
elastichigh
DMSA Link Attributes Modified
sigmalow
DMSA Service Account Created in Specific OUs - PowerShell
sigmamedium
EKS Authentication Configuration Modified
elastichigh
Enabled User Right in AD to Control User Objects
sigmahigh
Entra ID ADRS Token Request by Microsoft Authentication Broker
elasticmedium
Entra ID AiTM Phishing-Kit Chain Detected
elastichigh
Entra ID Application Credential Modified
elasticmedium
Entra ID Device Registration with Phishing Kit Default OS Build
elasticmedium
Entra ID Device Registration with ROADtools Default OS Build
elastichigh
Entra ID Device with ROADtools Default OS Build (Entity Analytics)
elastichigh
Entra ID Domain Federation Configuration Change
elastichigh
Entra ID Elevated Access to User Access Administrator
elastichigh
Entra ID Federated Identity Credential Issuer Modified
elastichigh
Entra ID Global Administrator Role Assigned
elastichigh
Entra ID Global Administrator Role Assigned (PIM User)
elastichigh
Entra ID Guest Account Promoted to Member
elasticmedium
Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN
elastichigh
Entra ID Multiple Device Registrations by a Single User
elasticmedium
Entra ID OAuth PRT Issuance to Non-Managed Device Detected
elasticmedium
Entra ID Phishing Kit Default OS Build (Entity Analytics)
elasticmedium
Entra ID Privileged Identity Management (PIM) Role Modified
elasticmedium
Entra ID Protection User Alert and Device Registration
elastichigh
Entra ID Register Device with Unusual User Agent (Azure AD Join)
elasticmedium
Entra ID Service Principal Credentials Created by Unusual User
elasticmedium
Entra ID Service Principal Federated Credential Authentication by Unusual Client
elastichigh
Entra ID Sharepoint or OneDrive Accessed by Unusual Client
elasticmedium
Entra ID Unusual Cloud Device Registration
elasticmedium
Entra ID User Added as Registered Application Owner
elasticlow
Entra ID User Added as Service Principal Owner
elasticlow
Entra ID User Sign-in with Unusual Non-Managed Device
elasticlow
ESXi Account Modified
splunk_escu
ESXi Admin Permission Assigned To Account Via ESXCLI
sigmahigh
ESXi User Granted Admin Role
splunk_escu
External User Added to Google Workspace Group
elasticmedium
GCP Access Policy Deleted
sigmamedium
GCP IAM Custom Role Creation
elastichigh
GCP IAM Service Account Key Deletion
elasticlow
GCP Service Account Key Creation
elastichigh
GCP Storage Bucket Permissions Modification
elasticmedium
GitHub Owner Role Granted To User
elasticmedium
GKE Cluster-Admin Role Binding Created or Modified
elasticmedium
GKE RBAC Wildcard Elevation on Existing Role
elastichigh
Google Workspace Admin Role Assigned to a User or Group
elastichigh
Google Workspace API Access Granted via Domain-Wide Delegation
elastichigh
Google Workspace Custom Admin Role Created
elasticmedium
Google Workspace Device Registration After OAuth from Suspicious ASN
elastichigh
Google Workspace Device Registration Burst for Single User
elasticmedium
Google Workspace Granted Domain API Access
sigmamedium
Google Workspace Object Copied from External Drive with App Consent
elastichigh
Google Workspace Password Policy Modified
elasticmedium
Google Workspace Role Modified
elastichigh
Google Workspace Suspended User Account Renewed
elastichigh
Google Workspace User Granted Admin Privileges
sigmamedium
Google Workspace User Organizational Unit Changed
elasticlow
Google Workspace User Sign-in from Atypical Device Type
elasticmedium
Kerberos Pre-authentication Disabled for User
elasticmedium
KRBTGT Delegation Backdoor
elastichigh
Kubernetes Client Certificate Signing Request Created or Approved
elastichigh
Kubernetes Cluster-Admin Role Binding Created
elasticmedium
Kubernetes Creation of a RoleBinding Referencing a ServiceAccount
elasticmedium
Kubernetes Creation or Modification of Sensitive Role
elasticmedium
Kubernetes RBAC Wildcard Elevation on Existing Role
elastichigh
Kubernetes Sensitive RBAC Change Followed by Workload Modification
elasticmedium
Kubernetes Service Account Modified RBAC Objects
elasticmedium
Linux Group Creation
elasticlow
Linux User Account Credential Modification
elasticmedium
Linux User Added to Privileged Group
elasticlow
List *.All MS Graph Permissions Added
kql
List MS Graph Mail Permissions Added
kql
M365 Exchange Mailbox Audit Logging Bypass Added
elasticmedium
M365 Exchange Mailbox High-Risk Permission Delegated
elasticlow
M365 Exchange Management Group Role Assigned
elasticmedium
M365 Exchange MFA Notification Email Deleted or Moved
elasticlow
M365 Identity Global Administrator Role Assigned
elasticmedium
M365 Identity OAuth Flow by User Sign-in to Device Registration
elastichigh
M365 Identity OAuth Illicit Consent Grant by Rare Client and User
elasticmedium
M365 SharePoint Site Administrator Added
elasticmedium
Modification of the msPKIAccountCredentials
elasticmedium
New ActiveSyncAllowedDeviceID Added via PowerShell
elasticmedium
New DMSA Service Account Created in Specific OUs
sigmamedium
New GitHub App Installed
elasticmedium
New GitHub Owner Added
elasticmedium
New GitHub Personal Access Token (PAT) Added
elasticlow
Number Of Resource Creation Or Deployment Activities
sigmamedium
O365 Application Registration Owner Added
splunk_escu
Okta User Assigned Administrator Role
elasticmedium
OpenSSL Password Hash Generation
elasticmedium
Password change after succesful brute force
kql
Password Change on Directory Service Restore Mode (DSRM) Account
sigmahigh
Password Set to Never Expire via WMI
sigmamedium
Pod or Container Creation with Suspicious Command-Line
elasticmedium
Potential Active Directory Replication Account Backdoor
elasticmedium
Potential Admin Group Account Addition
elasticmedium
Potential Linux Backdoor User Account Creation
elastichigh
Potential Persistence via File Modification
elasticlow
Potential Privileged Escalation via SamAccountName Spoofing
elastichigh
Potential Redis CONFIG SET SSH Authorized Key Injection
elastichigh
Potential Shadow Credentials added to AD Object
elastichigh
Potential Suspicious File Edit
elasticlow
Powershell LocalAccount Manipulation
sigmamedium
Powerview Add-DomainObjectAcl DCSync AD Extend Right
sigmahigh
Privileged User Has Been Created
sigmahigh
Remote Computer Account DnsHostName Update
elastichigh
Security Group Created (Microsoft Defender for Identity)
crowdstrike_cql
Sensitive Privilege SeEnableDelegationPrivilege assigned to a Principal
elastichigh
Shadow File Modification by Unusual Process
elasticlow
Spike in Group Application Assignment Change Events
elasticlow
Spike in Group Lifecycle Change Events
elasticlow
Spike in Group Management Events
elasticlow
Spike in Group Membership Events
elasticlow
Spike in Group Privilege Change Events
elasticlow
Spike in User Account Management Events
elasticlow
Spike in User Lifecycle Management Change Events
elasticlow
SSH Authorized Key File Activity Detected via Defend for Containers
elasticmedium