Account Manipulation T1098

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.

Events covered

39 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 13RegistryEvent (Value Set)
Security-AuditingEvent ID 4624An account was successfully logged on.
Security-AuditingEvent ID 4625An account failed to log on.
Security-AuditingEvent ID 4634An account was logged off.
Security-AuditingEvent ID 4662An operation was performed on an object.
Security-AuditingEvent ID 4663An attempt was made to access an object.
Security-AuditingEvent ID 4673A privileged service was called.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 4704A user right was assigned.
Security-AuditingEvent ID 4706A new trust was created to a domain.
Security-AuditingEvent ID 4720A user account was created.
Security-AuditingEvent ID 4722A user account was enabled.
Security-AuditingEvent ID 4723An attempt was made to change an account's password.
Security-AuditingEvent ID 4724An attempt was made to reset an account's password.
Security-AuditingEvent ID 4725A user account was disabled.
Security-AuditingEvent ID 4726A user account was deleted.
Security-AuditingEvent ID 4727A security-enabled global group was created.
Security-AuditingEvent ID 4728A member was added to a security-enabled global group.
Security-AuditingEvent ID 4729A member was removed from a security-enabled global group.
Security-AuditingEvent ID 4730A security-enabled global group was deleted.
Security-AuditingEvent ID 4731A security-enabled local group was created.
Security-AuditingEvent ID 4732A member was added to a security-enabled local group.
Security-AuditingEvent ID 4733A member was removed from a security-enabled local group.
Security-AuditingEvent ID 4738A user account was changed.
Security-AuditingEvent ID 4741A computer account was created.
Security-AuditingEvent ID 4742A computer account was changed.
Security-AuditingEvent ID 4754A security-enabled universal group was created.
Security-AuditingEvent ID 4756A member was added to a security-enabled universal group.
Security-AuditingEvent ID 4757A member was removed from a security-enabled universal group.
Security-AuditingEvent ID 4781The name of an account was changed.
Security-AuditingEvent ID 4794An attempt was made to set the Directory Services Restore Mode administrator password.
Security-AuditingEvent ID 5136A directory service object was modified.
Security-AuditingEvent ID 5137A directory service object was created.
Security-AuditingEvent ID 5145A network share object was checked to see whether client can be granted desired access.
Defender-DeviceEventsUserAccountAddedToLocalGroupUser account added to local group
PowerShellEvent ID 4103Payload Context: ContextInfo User Data: UserData.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).
PowerShellEvent ID 800Event ID 800

Authoring guide

Patterns shared across the 113 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (74 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
EventID29eq 24, in 64728, 4732, 4720, 5136, 4688
AttributeLDAPDisplayName14eq 14serviceprincipalname, msds-allowedtoactonbehalfofotheridentity, ntsecuritydescriptor, dsheuristics, msds-allowedtodelegateto
CommandLine13contains 10, match 3, in 1(?i)(\-u)|(user)|(localgroup)|(group), (?i).add, -group , /add, administrateur
TargetSid12starts_with 6, ends_with 4, eq 3, regex_match 3, wildcard 1S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]..., S-1-5-32-5[0-9][0-9]$, S-1-5-21-, S-1-5-32-544, -512
UserAccountControl12eq 11, contains 1%%2089, %%2093, %%2098, %%2062, %%2082
Channel11eq 11, in 11
TargetUserName11eq 8, contains 1, ends_with 1, starts_with 1DnsAdmins, $, Administr, CSAdministrator, CSArchivingAdministrator
eventtype11eq 11
AttributeValue7contains 2, starts_with 2, eq 1, in 1, length_compare 1, match 1-, 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2, 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;s-1-5-21-, 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2, 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;s-1-5-21-
ObjectClass7eq 7user, computer, dnsNode, dnsZone, dnsZoneScope
OperationType7eq 7%%14674
ScriptBlockText7contains 6, in 1*install-module -name aadinternals*, *install-module -name az.resources*, *install-module -name azuread*, -createdelegatedserviceaccount, -group
SubjectUserSid7eq 4, starts_with 2, regex_match 1S-1-5-18, S-1-5-21-, S-\d-\d+-\d+-(\d+-){1,5}\d+
Image6ends_with 6\net.exe, \net1.exe, \powershell.exe, \powershell_ise.exe, \pwsh.exe
AccountType5eq 5User

Top indicator values (374 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
OperationTypeeq
%%14674
717
AttributeLDAPDisplayNameeq
serviceprincipalname
69
AttributeLDAPDisplayNameeq
msds-allowedtoactonbehalfofotheridentity
23
AttributeLDAPDisplayNameeq
ntsecuritydescriptor
27
AccountTypeeq
User
59
AllowedToDelegateToeq
-
44
EventIDeq
5136
429
EventIDeq
4688
3312
EventIDeq
4720
35
EventIDeq
4728
33
EventIDeq
4732
34
EventIDeq
1
2232
EventIDin
4728
44
EventIDin
4732
44
EventIDin
4756
34
ObjectClasseq
user
46
SubjectUserSideq
S-1-5-18
48
TargetSidstarts_with
S-1-5-21-
44
CommandLinematch
(?i)(\-u)|(user)|(localgroup)|(group)
33
CommandLinematch
(?i).add
33
OldTargetUserNameends_with
$
33
SubjectUserNameends_with
$
337
TargetSidregex_match
S-1-5-21-[0-9]*-[0-9]*-[0-9]*-5[0-9][0-9]$|S-1-5-21-[0-9]*-[0-9]*-[0-9]*-1102...
33
TargetSidregex_match
S-1-5-32-5[0-9][0-9]$
33
statuseq
success
33
unique_usersgt
5
33
CommandLinecontains
-group
23
CommandLinecontains
/add
25
CommandLinecontains
add-localgroupmember
23
CommandLinecontains
localgroup
23

Exclusions (36 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
AllowedToDelegateToeq
-
4
SubjectUserSideq
S-1-5-18
4
SubjectUserNameends_with
$
3
EventDatacontains
s-1-5-32-555
2
NewTargetUserNameends_with
$
2
OldTargetUserNameends_with
$
2
TargetSideq
S-1-5-32-555
2
TargetUserNameends_with
$
2
AttributeValueeq
-
1
Computercontains
actor
1
Computereq
%domain_controllers%
1
MemberSideq
S-1-5-20
1
NewTargetUserNamematch
$
1
ObjectClasseq
dnsNode
1
ObjectClasseq
dnsZone
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 59 rules

Elastic 18 rules

Splunk 22 rules

Kusto 14 rules