Account Manipulation T1098
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.
Events covered
39 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 113 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (74 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (374 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (36 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 59 rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- Account marked as sensitive and cannot be delegated had its protection removed (weakness introduction)
- Account password set to never expire.
- Account set with Kerberos DES encryption activated (weakness introduction)
- Account set with Kerberos pre-authentication not required (AS-REP Roasting)
- Account set with password not required (weakness introduction)
- Account set with reversible encryption (weakness introduction)
- Active Directory User Backdoors
- Computer account created with privileges
- Computer account manipulation for delegation (RBCD)
- Computer account renamed without a trailing $ (CVE-2021-42278/42287)
- Disabled guest or builtin account activated
- Disabled guest or builtin account activated (command)
- DMSA Link Attributes Modified
- DMSA Service Account Created in Specific OUs - PowerShell
- Domain group membership change
- DSRM password changed (native)
- DSRM password changed (Reg via command)
- DSRM password changed (Reg via PowerShell)
- Enabled User Right in AD to Control User Objects
- Hidden account creation (with fast deletion)
- High risk Active Directory group membership change
- High risk local/domain local group membership change
- Host constrained delegation settings changed for potential abuse (Rubeus) - Any protocol
- Host constrained delegation settings changed for potential abuse (Rubeus) - Kerberos only
- Host set with constrained delegation
- Host set with unconstrained delegation
- Host unconstrained delegation settings changed for potential abuse (Rubeus)
- Local group membership change
- Medium risk Active Directory group membership change
- Medium risk local/domain local group membership change
- Member added to DNSadmin group
- New DMSA Service Account Created in Specific OUs
- New member added to a "OCS/Lync/Skype for Business" administration group (low risk)
- New member added to a "OCS/Lync/Skype for Business" administration group (medium risk)
- New member added to an "OCS/Lync/Skype for Business" administration group (high risk)
- New member added to an Exchange administration group (high risk)
- New member added to an Exchange administration group (medium risk)
- Password Change on Directory Service Restore Mode (DSRM) Account
- Password Set to Never Expire via WMI
- Powershell LocalAccount Manipulation
- Powerview Add-DomainObjectAcl DCSync AD Extend Right
- Privilege SeMachineAccountPrivilege abuse
- SPN added to an account by command line
- Suspicious Computer Account Name Change CVE-2021-42287
- Suspicious modification of a computer account SPN
- Suspicious modification of a fake domain controller SPN (DCshadow)
- Suspicious modification of a fake domain controller SPN (DCshadow) (Directory Services)
- Suspicious modification of a user account SPN to enable Kerberoast attack
- User account creation disguised in a computer account
- User added to a group via commandline
- User Added To Highly Privileged Group
- User Added to Local Administrator Group
- User Added to Local Administrators Group
- User password change using current hash password - ChangeNTLM (Mimikatz)
- User password change without previous password known - SetNTLM (Mimikatz)
Elastic 18 rules
- Account Configured with Never-Expiring Password
- Account Password Reset Remotely
- Active Directory Group Modification by SYSTEM
- AdminSDHolder Backdoor
- AdminSDHolder SDProp Exclusion Added
- Delegated Managed Service Account Modification by an Unusual User
- dMSA Account Creation by an Unusual User
- Kerberos Pre-authentication Disabled for User
- KRBTGT Delegation Backdoor
- Modification of the msPKIAccountCredentials
- New ActiveSyncAllowedDeviceID Added via PowerShell
- Potential Active Directory Replication Account Backdoor
- Potential Privileged Escalation via SamAccountName Spoofing
- Potential Shadow Credentials added to AD Object
- Sensitive Privilege SeEnableDelegationPrivilege assigned to a Principal
- User account exposed to Kerberoasting
- User Added to Privileged Group in Active Directory
- WRITEDAC Access on Active Directory Object
Splunk 22 rules
- Account set to active via Net.exe (EDR)
- Account set to active via Net.exe (Sysmon)
- Account set to active via Net.exe (Windows Event Log)
- Create_Add Local_Domain User (EDR)
- Create_Add Local_Domain User (Sysmon)
- Create_Add Local_Domain User (Windows Event Log)
- Member added to security-enabled global group (Windows Event Log)
- Windows AD add Self to Group
- Windows AD DSRM Account Changes
- Windows AD DSRM Password Reset
- Windows AD Privileged Group Modification
- Windows AD Self DACL Assignment
- Windows AD ServicePrincipalName Added To Domain Account
- Windows AD Short Lived Domain Account ServicePrincipalName
- Windows Azure PowerShell Module Installation Via PowerShell Script
- Windows DnsAdmins New Member Added
- Windows Entra User Management Via Azure CLI
- Windows Increase in Group or Object Modification Activity
- Windows Increase in User Modification Activity
- Windows Multiple Account Passwords Changed
- Windows Multiple Accounts Deleted
- Windows Multiple Accounts Disabled
Kusto 14 rules
- Account added and removed from privileged groups
- AD account with Don't Expire Password
- AD user enabled and password not set within 48 hours
- DEV-0270 New User Creation
- DSRM Account Abuse
- Group created then added to built in domain local or global group
- Local Admin Group Changes
- New user created and added to the built-in administrators group
- Shadow Credentials Added to Account
- Shadow Credentials Added to Account (Alternative)
- Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
- User account added to built in domain local or global group
- User account created and deleted within 10 mins
- User account enabled and disabled within 10 mins