T1098: Account Manipulation
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.
In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged Valid Accounts.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
kontinent: PT-CR-2399: Kontinent_Role_Manipulation: An action with an administrator role was performed. An attacker can create, change, or delete administrator roles to gain more privileges or deprive legitimate administrators of privileges. kontinent: PT-CR-2400: Kontinent_Account_Manipulation: An action with a resource user account or administrator account was performed. This can indicate an attacker attempting to create a new account for themselves or change the properties of an old account to gain access to the necessary network resources or escalate privileges. pt_nad: PT-CR-737: NAD_SAM_Account_Name_Spoofing: A user requested a TGT web_servers_abnormal_activity: PT-CR-1976: Web_Servers_Abnormal_Activity_Modify_User_Privileges: An attacker can edit user profiles to change user privileges microsoft_sharepoint: PT-CR-2109: Sharepoint_Grant_Critical_Role: A user is assigned a critical role for SharePoint microsoft_sharepoint: PT-CR-2115: Sharepoint_Grant_User_Access: A user is granted login access to the SharePoint server mitre_attck_impact: PT-CR-496: Remove_Account_From_Sensitive_Group: Detection of attempts to remove an account from a group that is significant for IS (table list Significant_Windows_Groups) unix_mitre_attck_persistence: PT-CR-1673: Unix_Suspicious_Etc_Modify: System files were changed postgresql_database: PT-CR-2334: PostgreSQL_Assignment_Sensitive_Privilege: Assigning sensitive privileges may result in escalation of root privileges sap_suspicious_user_activity: PT-CR-232: SAPASABAP_Critical_Action_By_Non_Admin_User: A non admin user performed a critical action in the system sap_suspicious_user_activity: PT-CR-230: SAPASABAP_Assigning_Yourself_Privileges: A user assigned himself privileges in the system samba: PT-CR-2589: Samba_Multiple_User_Password_Change: Multiple user password changes samba: PT-CR-2587: Samba_Multiple_User_Lock: Multiple user lockouts samba: PT-CR-2586: Samba_Critical_Domain_Group_User_Add: A user is added to a privileged domain group. Attackers can add a user to critical groups to increase privileges or consolidate on the system samba: PT-CR-2585: Samba_Account_Attribute_Manipulation: Attackers can change account attributes to gain additional access or secure them in the system. clickhouse: PT-CR-1566: ClickHouse_Grant_All_Roles: An attempt to change user rights or role is detected drweb: PT-CR-2069: DrWeb_Admin_Account_Modify: An administrator account action is performed. Administrator account actions can save or extend access to systems and lead to security policy bypass capabilities_account_manipulation: PT-CR-2879: CAP_User_Modified: Modification of an account in application software. This could be an attacker's attempt to disrupt the software's functionality, gain persistence in the system, or escalate privileges. elasticsearch: PT-CR-2708: Elasticsearch_Critical_Users_Modify: A critical user configuration was changed in the Elasticsearch database. This may indicate that the user's account was compromised. elasticsearch: PT-CR-2705: Elasticsearch_Critical_Role_Assign: A user was assigned a critical role in the Elasticsearch database zvirt: PT-CR-2819: ZVirt_Critical_Roles_Granted: A user assigned a critical role to an account in the zVirt virtualization platform mongo_database: PT-CR-530: MongoDB_Grant_High_Role: An attempt to elevate privileges of an account mysql_database: PT-CR-624: MySQL_Permissions_Operation: Attempt to change account permissions mysql_database: PT-CR-625: MySQL_User_Operation: Attempt to change or delete a user account supply_chain: PT-CR-1778: SupplyChain_Maintainer_Or_Owner_Role_Assign: Assignment of the Maintainer or Owner role supply_chain: PT-CR-1935: SupplyChain_TeamCity_Modify_Group: A user changed group membership or role in TeamCity. Attackers can perform such actions to maintain access supply_chain: PT-CR-1781: SupplyChain_Mass_Maintainer_Or_Owner_Role_Assign: Mass assignment of the Maintainer or Owner roles mssql_database: PT-CR-417: MSSQL_Login_Configuration_Change: An attempt to change database login settings mssql_database: PT-CR-405: MSSQL_Administrator_Role_Manipulation: An attempt to assign the administrator role to an account hacking_tools: PT-CR-1947: Powermad_Usage: Powermad is used to exploit AD account attributes hacking_tools: PT-CR-2134: SharpToken_Usage: SharpToken was used. This tool can find leaked tokens from all processes in the system and exploit them. If attackers accessed a low-privileged account, they can use this tool to upgrade to "NT AUTHORITY\SYSTEM" privileges. SharpToken can also be used to capture interactive user sessions. apache_cassandra_database: PT-CR-2087: Apache_Cassandra_Grant_All_Permissions: Attempt to grant all permissions to a role. This may indicate an attacker trying to hide their activity using a privileged account. pt_ngfw: PT-CR-2935: NGFW_SAM_Account_Name_Spoofing: PT NGFW detected a TGT request under an account that matches a domain controller name vulnerabilities: PT-CR-2199: CVE_2023_7028_Gitlab_Password_Reset: Exploitation of vulnerability CVE-2023-7028 in Gitlab Community Edition and Enterprise Edition. This vulnerability allows user account password reset emails to be delivered to unverified email addresses. vulnerabilities: PT-CR-1369: Windows_Roaming_Credential_Used: A change in the LDAP attributes msPKIAccountCredentials and msPKIRoamingTimestamp is detected. This indicates an exploitation of a Windows Credential Roaming vulnerability, which allows writing to any file on behalf of the victim user. active_directory_attacks: PT-CR-2298: Zerologon_Attack: Exploitation of vulnerability CVE-2020-1472 (Zerologon) that allows you to change passwords to domain controller accounts active_directory_attacks: PT-CR-831: Computer_Delegation_Configured: One of the types of delegation is configured in the domain: unlimited delegation, limited delegation, limited resource-based delegation. An attacker can use this setting to obtain users TGT or TGS tickets. After that, an attacker can elevate privileges and horizontally move to other infrastructure nodes active_directory_attacks: PT-CR-1344: Remote_Actions_With_Domain_Objects: A PowerView script was used. Attackers use the PowerView tool for reconnaissance in Windows domains. active_directory_attacks: PT-CR-1343: PowerViewPy_RBCD_Attack: Limited resource-based delegation is configured in the domain. An attacker can use this setting to obtain the TGS ticket of the attacked account for administrator access to the server intended for the operation of the service. After that, an attacker can elevate privileges and perform a horizontal move to other infrastructure nodes active_directory_attacks: PT-CR-1984: Machine_Account_Quota_Changes: A user changed the MS-DS-Machine-Account-Quota attribute (the number of computer accounts that a user is allowed to create in a domain). This may indicate the creation of a new computer account. active_directory_attacks: PT-CR-1342: Subrule_PowerView_Objects_Actions: Remote change of domain objects (domain users and groups, machine accounts) using the PowerView tool (PowerViewPy) is detected active_directory_attacks: PT-CR-654: SAM_Account_Name_Spoofing: A user changed the SamAccountName of an AD object to something unusual (the presence or absence of the "$" symbol at the end of the name does not correspond to the object type) or requested a TGT under an account that matches the name of a domain controller. This may indicate a SamAccountName Spoofing attack that can allow attackers to escalate privileges or carry out a Targeted Timeroasting attack. active_directory_attacks: PT-CR-653: AdminSDHolder_Modification_Attack: Adding a value to the properties of the AdminSDHolder container that updates the permissions of protected objects with a certain period of time. This allows an attacker to gain privileged access and gain a foothold in the infrastructure teleport: PT-CR-2534: Teleport_Critical_User_Manipulation: A user performed an action with a user account with a critical role in Teleport. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. teleport: PT-CR-2535: Teleport_Critical_Role_Manipulation: A user changed or deleted a critical role in Teleport. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. teleport: PT-CR-2544: Teleport_Multiple_User_Modification: A user changed a large number of user accounts in a short period of time. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. security_code_secret_net_lsp: PT-CR-1890: SecretNet_LSP_User_Elevating: User privilege escalation security_code_secret_net_lsp: PT-CR-1887: SecretNet_LSP_Multiple_User_Password_Change: Multiple password changes for the same account security_code_secret_net_lsp: PT-CR-1895: SecretNet_LSP_Manipulate_User_With_Critical_Roles: Critical account change kaspersky: PT-CR-1848: Kaspersky_Add_Role_To_User: A user added new rights to a user or group kaspersky: PT-CR-1846: Kaspersky_Enable_User: A user enabled an account microsoft_mecm: PT-CR-1875: MECM_Privileges_Escalation_Via_Role: Privilege escalation for a user in MECM microsoft_mecm: PT-CR-1877: MECM_Create_New_Roles: Creating a new role in MECM microsoft_mecm: PT-CR-1874: MECM_Not_Allowed_Operation_With_Roles: Attempt to escalate privileges using roles in MECM indeed_pam: PT-CR-2894: Indeed_Important_PAM_User_Group_Actions: A user performed an action with a critical group in Indeed PAM. This could be an attacker's attempt to escalate privileges or make system or network resources unavailable. indeed_pam: PT-CR-2887: Indeed_Important_Applications_Actions: Suspicious actions with applications on the critical application list in Indeed PAM application indeed_pam: PT-CR-2897: Indeed_Important_PAM_Host_Account_Actions: A user performed an action with a critical user account on a host in Indeed PAM. This could be an attacker's attempt to escalate privileges or make system or network resources unavailable. indeed_pam: PT-CR-2895: Indeed_Important_PAM_Account_Actions: A user performed an action with a critical user account in Indeed PAM. This could be an attacker's attempt to escalate privileges or make system or network resources unavailable. sap_java_suspicious_user_activity: PT-CR-534: SAPASJAVA_Assign_User_To_Admin_Group: A user is added to an administrators group sap_java_suspicious_user_activity: PT-CR-543: SAPASJAVA_User_Password_Changed: An account password is changed multiple times sap_java_suspicious_user_activity: PT-CR-541: SAPASJAVA_Password_Changed_For_SAP_Standard_Users_And_Logon: The password of a default user was changed, then a user logged in under this account sap_java_suspicious_user_activity: PT-CR-535: SAPASJAVA_Authorization_Assignment_By_Non_Admin_User: A user is added to a group by a non-administrator user vmware_aria: PT-CR-2368: Aria_Operations_Change_Admin_Password_Via_CLI: Changing the administrator password in Aria Operations from the command line without the old password can indicate an attacker attempting to block access to the owner and/or access the Aria Operations data vmware_aria: PT-CR-2381: AOFL_User_Manage: The deletion or change of multiple accounts can indicate an attacker attempting to block owners from accessing Aria Operations for Logs vmware_aria: PT-CR-2380: Aria_Operations_User_Manage: The deletion or change of multiple accounts can indicate an attacker attempting to block owners from accessing Aria Operations network_devices_compromise: PT-CR-2284: ViPNet_Policy_Manager_User_Privileges_Modify: User privileges were changed zabbix: PT-CR-2051: Zabbix_Critical_User_Manipulate: A user changed a critical user account in Zabbix. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. zabbix: PT-CR-2054: Zabbix_User_Multiple_Password_Change: A user changed a password in Zabbix multiple times. This could be an attacker's attempt to gain persistence. zabbix: PT-CR-2048: Zabbix_User_Multiple_Unlock: Batch account unlocking in Zabbix. This can be an attacker's attempt to escalate privileges. zabbix: PT-CR-2052: Zabbix_Critical_Role_Manipulate: A user performed an action with a critical role in Zabbix. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. zabbix: PT-CR-2050: Zabbix_Critical_Group_Manipulate: A user performed an action with a critical group in Zabbix. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. vipnet_tias: PT-CR-2627: ViPNet_TIAS_Critical_User_Manipulation: A user performed an action with a critical user account in ViPNet TIAS. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. passwork: PT-CR-2614: Passwork_Admin_Role_Assignment: A user has been assigned the administrator role in Passwork application. This could be an attacker's action to escalate privileges or gain a foothold in system passwork: PT-CR-2608: Passwork_Critical_User_Manipulation: A user performed a suspicious action on a critical user account in Passwork Password Manager. Such actions include role revocation, password harvesting, and user deletion. This could be an attacker's action to escalate privileges or make system and network resources inaccessible mitre_attck_privilege_escalation: PT-CR-2656: Changing_UAC_Flags: The userAccountControl critical attributes of a user or host are changed microsoft_exchange: PT-CR-2356: Exchange_Role_Assignment_Policy_Actions: A user created or changed a management role assignment policy in Exchange. This could be an attacker's attempt to escalate privileges. microsoft_exchange: PT-CR-2411: Exchange_Illegal_Distribution_Group_Modify: Change of Active Directory groups with the option to automatically add users microsoft_exchange: PT-CR-2434: Exchange_Distribution_Group_Member_Added: Attempt to add a user to a distribution group microsoft_exchange: PT-CR-2355: Exchange_Admin_Role_Actions: A user performed an action with a management role in Exchange. This may indicate an attacker's attempt to escalate privileges or disrupt availability of system resources. microsoft_exchange: PT-CR-2360: Exchange_Critical_Group_Manipulate: A user changed or deleted a critical group in Exchange. This could be an attacker's attempt to escalate privileges or disrupt system availability. freeipa: PT-CR-1958: FreeIPA_Multiple_User_Password_Change: Multiple user password changes freeipa: PT-CR-1957: FreeIPA_User_Manipulate_With_Critical_User: A critical user account was modified enterprise_1c_and_bitrix: PT-CR-674: Enterprise_1C_Manipulate_User_With_Critical_Roles: A critical user account was changed or deleted enterprise_1c_and_bitrix: PT-CR-678: Enterprise_1C_Multiple_User_Unlock: Batch account unlocking enterprise_1c_and_bitrix: PT-CR-675: Enterprise_1C_Multiple_User_Password_Change: Multiple password changes for the same account mitre_attck_persistence: PT-CR-2499: KRBTGT_Delegation: Resource-based constrained delegation was configured for the krbtgt account. This can be used by attackers to generate TGTs and gain persistence in the system. mitre_attck_persistence: PT-CR-1945: Machine_Account_Attribute_Manipulation: A machine account attribute was changed mitre_attck_persistence: PT-CR-2604: Unauthorized_Reset_Password_For_Sensitive_Users: Unexpected reset of a critical user's password. This may indicate that the user's account was compromised. mitre_attck_persistence: PT-CR-1862: Add_User_To_Group: Attempt to add a user to a group mitre_attck_persistence: PT-CR-1348: RID_Hijacking_Persistence: Persistence by hijacking an account recipient ID mitre_attck_persistence: PT-CR-2594: Hidden_Account_Creation: A hidden account with administrator permissions was created using a new registry key with user information. The event was not recorded in the Windows event log. mitre_attck_persistence: PT-CR-432: Critical_Domain_Group_User_Add: A user is added to a privileged domain group
Subtechniques
Expert Required. The technique is detected only with the combination of «PT Product + Expert»
Detection
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments for suspicious commands to modify accounts or account settings (including files such as the Monitor executed commands and arguments of suspicious commands (such as |
---|
ID | DS0002 | Data source and component | User Account: User Account Modification | Description | Monitor events for changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670. Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ or that include additional flags such as changing a password without knowledge of the old password. Monitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts. |
---|
ID | DS0026 | Data source and component | Active Directory: Active Directory Object Modification | Description | Monitor for the registration or joining of new device objects in Active Directory. Raise alerts when new devices are registered or joined without using MFA. |
---|
ID | DS0036 | Data source and component | Group: Group Modification | Description | Monitor events for changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670. |
---|
ID | DS0022 | Data source and component | File: File Modification | Description | Monitor for changes made to files related to account settings, such as |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor for newly constructed processes indicative of modifying account settings, such as those that modify |
---|
Mitigation
ID | M1018 | Name | User Account Management | Description | Ensure that low-privileged user accounts do not have permissions to modify accounts or account-related policies. |
---|
ID | M1026 | Name | Privileged Account Management | Description | Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems. |
---|
ID | M1028 | Name | Operating System Configuration | Description | Protect domain controllers by ensuring proper security configuration for critical servers to limit access by potentially unnecessary protocols and services, such as SMB file sharing. |
---|
ID | M1030 | Name | Network Segmentation | Description | Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems. |
---|
ID | M1032 | Name | Multi-factor Authentication | Description | Use multi-factor authentication for user and privileged accounts. |
---|