T1098: Account Manipulation
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.
In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged Valid Accounts.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
clickhouse: PT-CR-1566: ClickHouse_Grant_All_Roles: An attempt to change user rights or role is detected sap_suspicious_user_activity: PT-CR-230: SAPASABAP_Assigning_Yourself_Privileges: A user assigned himself privileges in the system sap_suspicious_user_activity: PT-CR-232: SAPASABAP_Critical_Action_By_Non_Admin_User: A non admin user performed a critical action in the system sap_java_suspicious_user_activity: PT-CR-541: SAPASJAVA_Password_Changed_For_SAP_Standard_Users_And_Logon: The password of a default user was changed, then a user logged in under this account sap_java_suspicious_user_activity: PT-CR-535: SAPASJAVA_Authorization_Assignment_By_Non_Admin_User: A user is added to a group by a non-administrator user sap_java_suspicious_user_activity: PT-CR-534: SAPASJAVA_Assign_User_To_Admin_Group: A user is added to an administrators group sap_java_suspicious_user_activity: PT-CR-543: SAPASJAVA_User_Password_Changed: An account password is changed multiple times microsoft_exchange: PT-CR-2360: Exchange_Critical_Group_Manipulate: A user changed or deleted a critical group in Exchange. This could be an attacker's attempt to escalate privileges or disrupt system availability. microsoft_exchange: PT-CR-2355: Exchange_Admin_Role_Actions: A user performed an action with a management role in Exchange. This may indicate an attacker's attempt to escalate privileges or disrupt availability of system resources. microsoft_exchange: PT-CR-2411: Exchange_Illegal_Distribution_Group_Modify: Change of Active Directory groups with the option to automatically add users microsoft_exchange: PT-CR-2356: Exchange_Role_Assignment_Policy_Actions: A user created or changed a management role assignment policy in Exchange. This could be an attacker's attempt to escalate privileges. microsoft_exchange: PT-CR-2434: Exchange_Distribution_Group_Member_Added: Attempt to add a user to a distribution group mitre_attck_impact: PT-CR-496: Remove_Account_From_Sensitive_Group: Detection of attempts to remove an account from a group that is significant for IS (table list Significant_Windows_Groups) elasticsearch: PT-CR-2708: Elasticsearch_Critical_Users_Modify: A critical user configuration was changed in the Elasticsearch database. This may indicate that the user's account was compromised. elasticsearch: PT-CR-2705: Elasticsearch_Critical_Role_Assign: A user was assigned a critical role in the Elasticsearch database hacking_tools: PT-CR-1947: Powermad_Usage: Powermad is used to exploit AD account attributes hacking_tools: PT-CR-2134: SharpToken_Usage: SharpToken was used. This tool can find leaked tokens from all processes in the system and exploit them. If attackers accessed a low-privileged account, they can use this tool to upgrade to "NT AUTHORITY\SYSTEM" privileges. SharpToken can also be used to capture interactive user sessions. kaspersky: PT-CR-1846: Kaspersky_Enable_User: A user enabled an account kaspersky: PT-CR-1848: Kaspersky_Add_Role_To_User: A user added new rights to a user or group zvirt: PT-CR-2819: ZVirt_Critical_Roles_Granted: A user assigned a critical role to an account in the zVirt virtualization platform apache_cassandra_database: PT-CR-2087: Apache_Cassandra_Grant_All_Permissions: Attempt to grant all permissions to a role. This may indicate an attacker trying to hide their activity using a privileged account. unix_mitre_attck_persistence: PT-CR-1673: Unix_Suspicious_Etc_Modify: System files were changed kontinent: PT-CR-2400: Kontinent_Account_Manipulation: An action with a resource user account or administrator account was performed. This can indicate an attacker attempting to create a new account for themselves or change the properties of an old account to gain access to the necessary network resources or escalate privileges. kontinent: PT-CR-2399: Kontinent_Role_Manipulation: An action with an administrator role was performed. An attacker can create, change, or delete administrator roles to gain more privileges or deprive legitimate administrators of privileges. web_servers_abnormal_activity: PT-CR-1976: Web_Servers_Abnormal_Activity_Modify_User_Privileges: An attacker can edit user profiles to change user privileges active_directory_attacks: PT-CR-831: Computer_Delegation_Configured: One of the types of delegation is configured in the domain: unlimited delegation, limited delegation, limited resource-based delegation. An attacker can use this setting to obtain users TGT or TGS tickets. After that, an attacker can elevate privileges and horizontally move to other infrastructure nodes active_directory_attacks: PT-CR-1344: Remote_Actions_With_Domain_Objects: A PowerView script was used. Attackers use the PowerView tool for reconnaissance in Windows domains. active_directory_attacks: PT-CR-1343: PowerViewPy_RBCD_Attack: Limited resource-based delegation is configured in the domain. An attacker can use this setting to obtain the TGS ticket of the attacked account for administrator access to the server intended for the operation of the service. After that, an attacker can elevate privileges and perform a horizontal move to other infrastructure nodes active_directory_attacks: PT-CR-1984: Machine_Account_Quota_Changes: A user changed the MS-DS-Machine-Account-Quota attribute (the number of computer accounts that a user is allowed to create in a domain). This may indicate the creation of a new computer account. active_directory_attacks: PT-CR-3060: BadSuccessor_Attack: Possible BadSuccessor attack. A link to another account was added to properties of a delegated Managed Service Account (dMSA). The dMSA account may have been created for this purpose and then deleted to hide the traces of malicious activity. active_directory_attacks: PT-CR-654: SAM_Account_Name_Spoofing: A user changed the SamAccountName of an AD object to something unusual (the presence or absence of the "$" symbol at the end of the name does not correspond to the object type) or requested a TGT under an account that matches the name of a domain controller. This may indicate a SamAccountName Spoofing attack that can allow attackers to escalate privileges or carry out a Targeted Timeroasting attack. active_directory_attacks: PT-CR-1342: Subrule_PowerView_Objects_Actions: Remote change of domain objects (domain users and groups, machine accounts) using the PowerView tool (PowerViewPy) is detected active_directory_attacks: PT-CR-653: AdminSDHolder_Modification_Attack: Adding a value to the properties of the AdminSDHolder container that updates the permissions of protected objects with a certain period of time. This allows an attacker to gain privileged access and gain a foothold in the infrastructure active_directory_attacks: PT-CR-2298: Zerologon_Attack: Exploitation of vulnerability CVE-2020-1472 (Zerologon) that allows you to change passwords to domain controller accounts bitbucket: PT-CR-2701: Bitbucket_Important_Permission_Assign: An important permission was assigned in Bitbucket passwork: PT-CR-2614: Passwork_Admin_Role_Assignment: A user has been assigned the administrator role in Passwork application. This could be an attacker's action to escalate privileges or gain a foothold in system passwork: PT-CR-2608: Passwork_Critical_User_Manipulation: A user performed a suspicious action on a critical user account in Passwork Password Manager. Such actions include role revocation, password harvesting, and user deletion. This could be an attacker's action to escalate privileges or make system and network resources inaccessible mitre_attck_persistence: PT-CR-1862: Add_User_To_Group: Attempt to add a user to a group mitre_attck_persistence: PT-CR-2604: Unauthorized_Reset_Password_For_Sensitive_Users: Unexpected reset of a critical user's password. This may indicate that the user's account was compromised. mitre_attck_persistence: PT-CR-1348: RID_Hijacking_Persistence: Persistence by hijacking an account recipient ID mitre_attck_persistence: PT-CR-2499: KRBTGT_Delegation: Resource-based constrained delegation was configured for the krbtgt account. This can be used by attackers to generate TGTs and gain persistence in the system. mitre_attck_persistence: PT-CR-2594: Hidden_Account_Creation: A hidden account with administrator permissions was created using a new registry key with user information. The event was not recorded in the Windows event log. mitre_attck_persistence: PT-CR-432: Critical_Domain_Group_User_Add: A user is added to a privileged domain group mitre_attck_persistence: PT-CR-1945: Machine_Account_Attribute_Manipulation: A machine account attribute was changed drweb: PT-CR-2069: DrWeb_Admin_Account_Modify: An administrator account action is performed. Administrator account actions can save or extend access to systems and lead to security policy bypass enterprise_1c_and_bitrix: PT-CR-678: Enterprise_1C_Multiple_User_Unlock: Batch account unlocking enterprise_1c_and_bitrix: PT-CR-674: Enterprise_1C_Manipulate_User_With_Critical_Roles: A critical user account was changed or deleted enterprise_1c_and_bitrix: PT-CR-675: Enterprise_1C_Multiple_User_Password_Change: Multiple password changes for the same account security_code_secret_net_lsp: PT-CR-1887: SecretNet_LSP_Multiple_User_Password_Change: Multiple password changes for the same account security_code_secret_net_lsp: PT-CR-1890: SecretNet_LSP_User_Elevating: User privilege escalation security_code_secret_net_lsp: PT-CR-1895: SecretNet_LSP_Manipulate_User_With_Critical_Roles: Critical account change vipnet_tias: PT-CR-2627: ViPNet_TIAS_Critical_User_Manipulation: A user performed an action with a critical user account in ViPNet TIAS. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. mitre_attck_privilege_escalation: PT-CR-2656: Changing_UAC_Flags: The userAccountControl critical attributes of a user or host are changed mysql_database: PT-CR-624: MySQL_Permissions_Operation: Attempt to change account permissions mysql_database: PT-CR-625: MySQL_User_Operation: Attempt to change or delete a user account indeed_pam: PT-CR-2895: Indeed_Important_PAM_Account_Actions: A user performed an action with a critical user account in Indeed PAM. This could be an attacker's attempt to escalate privileges or make system or network resources unavailable. indeed_pam: PT-CR-2897: Indeed_Important_PAM_Host_Account_Actions: A user performed an action with a critical user account on a host in Indeed PAM. This could be an attacker's attempt to escalate privileges or make system or network resources unavailable. indeed_pam: PT-CR-2894: Indeed_Important_PAM_User_Group_Actions: A user performed an action with a critical group in Indeed PAM. This could be an attacker's attempt to escalate privileges or make system or network resources unavailable. indeed_pam: PT-CR-2887: Indeed_Important_Applications_Actions: Suspicious actions with applications on the critical application list in Indeed PAM application pt_ngfw: PT-CR-2935: NGFW_SAM_Account_Name_Spoofing: PT NGFW detected a TGT request under an account that matches a domain controller name network_devices_compromise: PT-CR-2284: ViPNet_Policy_Manager_User_Privileges_Modify: User privileges were changed samba_active_directory_attacks: PT-CR-2586: SambaDC_Critical_Domain_Group_User_Add: A user is added to a privileged domain group. Attackers can add a user to critical groups to increase privileges or consolidate on the system samba_active_directory_attacks: PT-CR-2585: SambaDC_Account_Attribute_Manipulation: Attackers can change account attributes to gain additional access or secure them in the system. samba_active_directory_attacks: PT-CR-2589: SambaDC_Multiple_User_Password_Change: Multiple user password changes microsoft_mecm: PT-CR-1875: MECM_Privileges_Escalation_Via_Role: Privilege escalation for a user in MECM microsoft_mecm: PT-CR-1874: MECM_Not_Allowed_Operation_With_Roles: Attempt to escalate privileges using roles in MECM microsoft_mecm: PT-CR-1877: MECM_Create_New_Roles: Creating a new role in MECM capabilities_account_manipulation: PT-CR-2879: CAP_User_Modified: Modification of an account in application software. This could be an attacker's attempt to disrupt the software's functionality, gain persistence in the system, or escalate privileges. supply_chain: PT-CR-1778: SupplyChain_Maintainer_Or_Owner_Role_Assign: Assignment of the Maintainer or Owner role supply_chain: PT-CR-1781: SupplyChain_Mass_Maintainer_Or_Owner_Role_Assign: Mass assignment of the Maintainer or Owner roles supply_chain: PT-CR-1935: SupplyChain_TeamCity_Modify_Group: A user changed group membership or role in TeamCity. Attackers can perform such actions to maintain access mongo_database: PT-CR-530: MongoDB_Grant_High_Role: An attempt to elevate privileges of an account mssql_database: PT-CR-405: MSSQL_Administrator_Role_Manipulation: An attempt to assign the administrator role to an account mssql_database: PT-CR-417: MSSQL_Login_Configuration_Change: An attempt to change database login settings microsoft_sharepoint: PT-CR-2109: Sharepoint_Grant_Critical_Role: A user is assigned a critical role for SharePoint microsoft_sharepoint: PT-CR-2115: Sharepoint_Grant_User_Access: A user is granted login access to the SharePoint server postgresql_database: PT-CR-2334: PostgreSQL_Assignment_Sensitive_Privilege: Assigning sensitive privileges may result in escalation of root privileges vulnerabilities: PT-CR-1369: Windows_Roaming_Credential_Used: A change in the LDAP attributes msPKIAccountCredentials and msPKIRoamingTimestamp is detected. This indicates an exploitation of a Windows Credential Roaming vulnerability, which allows writing to any file on behalf of the victim user. vulnerabilities: PT-CR-2199: CVE_2023_7028_Gitlab_Password_Reset: Exploitation of vulnerability CVE-2023-7028 in Gitlab Community Edition and Enterprise Edition. This vulnerability allows user account password reset emails to be delivered to unverified email addresses. vmware_aria: PT-CR-2381: AOFL_User_Manage: The deletion or change of multiple accounts can indicate an attacker attempting to block owners from accessing Aria Operations for Logs vmware_aria: PT-CR-2368: Aria_Operations_Change_Admin_Password_Via_CLI: Changing the administrator password in Aria Operations from the command line without the old password can indicate an attacker attempting to block access to the owner and/or access the Aria Operations data vmware_aria: PT-CR-2380: Aria_Operations_User_Manage: The deletion or change of multiple accounts can indicate an attacker attempting to block owners from accessing Aria Operations zabbix: PT-CR-2054: Zabbix_User_Multiple_Password_Change: A user changed a password in Zabbix multiple times. This could be an attacker's attempt to gain persistence. zabbix: PT-CR-2050: Zabbix_Critical_Group_Manipulate: A user performed an action with a critical group in Zabbix. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. zabbix: PT-CR-2051: Zabbix_Critical_User_Manipulate: A user changed a critical user account in Zabbix. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. zabbix: PT-CR-2048: Zabbix_User_Multiple_Unlock: Batch account unlocking in Zabbix. This can be an attacker's attempt to escalate privileges. zabbix: PT-CR-2052: Zabbix_Critical_Role_Manipulate: A user performed an action with a critical role in Zabbix. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. freeipa: PT-CR-1958: FreeIPA_Multiple_User_Password_Change: Multiple user password changes freeipa: PT-CR-1957: FreeIPA_User_Manipulate_With_Critical_User: A critical user account was modified teleport: PT-CR-2535: Teleport_Critical_Role_Manipulation: A user changed or deleted a critical role in Teleport. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. teleport: PT-CR-2544: Teleport_Multiple_User_Modification: A user changed a large number of user accounts in a short period of time. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. teleport: PT-CR-2534: Teleport_Critical_User_Manipulation: A user performed an action with a user account with a critical role in Teleport. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. pt_nad: PT-CR-737: NAD_SAM_Account_Name_Spoofing: A user requested a TGT
Subtechniques
Expert Required. The technique is detected only with the combination of «PT Product + Expert»
Detection
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments for suspicious commands to modify accounts or account settings (including files such as the Monitor executed commands and arguments of suspicious commands (such as |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly constructed processes indicative of modifying account settings, such as those that modify |
---|
ID | DS0026 | Data source and component | Active Directory: Active Directory Object Modification | Description | Monitor for the registration or joining of new device objects in Active Directory. Raise alerts when new devices are registered or joined without using MFA. |
---|
ID | DS0022 | Data source and component | File: File Modification | Description | Monitor for changes made to files related to account settings, such as |
---|
ID | DS0036 | Data source and component | Group: Group Modification | Description | Monitor events for changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670. |
---|
ID | DS0002 | Data source and component | User Account: User Account Modification | Description | Monitor events for changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670. Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ or that include additional flags such as changing a password without knowledge of the old password. Monitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts. |
---|
Mitigation
ID | M1030 | Name | Network Segmentation | Description | Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems. |
---|
ID | M1018 | Name | User Account Management | Description | Ensure that low-privileged user accounts do not have permissions to modify accounts or account-related policies. |
---|
ID | M1032 | Name | Multi-factor Authentication | Description | Use multi-factor authentication for user and privileged accounts. |
---|
ID | M1026 | Name | Privileged Account Management | Description | Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems. |
---|
ID | M1028 | Name | Operating System Configuration | Description | Protect domain controllers by ensuring proper security configuration for critical servers to limit access by potentially unnecessary protocols and services, such as SMB file sharing. |
---|