T1098 — Account Manipulation

Technique

T1098

Tactics

Persistence, Privilege Escalation

MISP citations

0

KEV CVEs mapped

2

Community rules

32

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1098

MITRE description

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078).

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2021-32030
• CVE-2012-0767

Detection coverage

SigmaHQ community rules

• Suspicious Computer Account Name Change CVE-2021-42287 (emerging-threats)
• Bitbucket Global Permission Changed (core)
• AWS IAM Backdoor Users Keys (core)
• AWS Route 53 Domain Transfer Lock Disabled (core)
• AWS Route 53 Domain Transferred to Another Account (core)
• AWS User Login Profile Was Modified (core)
• Number Of Resource Creation Or Deployment Activities (core)
• Change to Authentication Method (core)
• Bulk Deletion Changes To Privileged Account Permissions (core)
• Anomalous User Activity (core)
• GCP Access Policy Deleted (core)
• Google Workspace Granted Domain API Access (core)
• Google Workspace User Granted Admin Privileges (core)
• Privileged User Has Been Created (core)
• ESXi Admin Permission Assigned To Account Via ESXCLI (core)
• Cisco Local Accounts (core)
• A Member Was Added to a Security-Enabled Global Group (core)
• A Member Was Removed From a Security-Enabled Global Group (core)
• A Security-Enabled Global Group Was Deleted (core)
• Powerview Add-DomainObjectAcl DCSync AD Extend Right (core)
• Enabled User Right in AD to Control User Objects (core)
• Active Directory User Backdoors (core)
• A New Trust Was Created To A Domain (core)
• Password Change on Directory Service Restore Mode (DSRM) Account (core)
• User Added to Local Administrator Group (core)

Showing 25 of 32 community rules — the full set is tagged attack.t1098 in SigmaHQ.

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.