Account Manipulation (T1098) is a MITRE ATT&CK technique in the Persistence tactic. SOC analysts detect it by monitoring for SIEM, XDR events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
Adversaries may manipulate accounts to maintain or improve access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials, cloning accounts, or granting additional permissions. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password history requirements or enrolling additional authentication methods to bypass multi-factor authentication. Adversaries may also modify account attributes to avoid detection, such as changing the display name, email address, or group membership of compromised accounts. In cloud environments, account manipulation often targets IAM roles, service principals, and OAuth application permissions to establish persistent access pathways that survive credential rotations.
“Account Manipulation is documented as technique T1098 in the MITRE ATT&CK knowledge base under the Persistence tactic. Detection requires visibility into SIEM, XDR telemetry.”
The following detection strategies help SOC analysts identify Account Manipulation activity. These methods apply across SIEM, XDR environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
Monitor for changes to user account attributes in Active Directory including SIDHistory modifications, AdminSDHolder changes, and group membership modifications for sensitive groups.
Track password reset and credential modification events, particularly for privileged accounts, service accounts, and accounts that have recently been involved in suspicious authentication activity.
Alert on enrollment of new MFA methods or authentication devices for accounts that were not previously enrolled, as attackers may add their own authentication factors to maintain access after password changes.
Monitor cloud platform audit logs for IAM permission changes, role policy modifications, and service principal credential additions that were not authorized through change management processes.
Detect SSH authorized_key file modifications on Linux servers and workstations, as attackers frequently add their own public keys to maintain persistent SSH access even after password-based credentials are changed.
These realistic alert examples show what Account Manipulation looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
New MFA device enrolled for account admin_jbaker from an IP address in Russia. The account owner has not submitted a helpdesk ticket for MFA enrollment and was not scheduled for a device upgrade. The enrolling IP has no prior authentication history for this account and appears on threat intelligence as associated with APT infrastructure.
File integrity monitoring detected modification to /home/deploy/.ssh/authorized_keys on production database server DB-PROD-01. A new public key was appended that does not belong to any registered IT staff member. The modification was made by the deploy service account which should not normally modify SSH configuration files.
Active Directory audit shows standard user account bjohnson added to Domain Admins group at 11:47 PM. The modification was made by a service account used for automated provisioning that is not authorized to modify privileged groups. The service account credentials were potentially compromised as part of a broader intrusion detected on the network.
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including Account Manipulation. Build detection skills with zero consequences — free forever.
Persistence refers to techniques adversaries use to maintain access across reboots, credential changes, and other disrup…
Read more GlossaryEndpoint Detection and Response (EDR) is a security technology that continuously monitors endpoint activity, recording p…
Read more GlossaryThreat hunting is the proactive, human-led process of searching through security telemetry to find hidden threats that e…
Read more GlossaryAn Indicator of Compromise (IOC) is an observable artifact, such as a file hash, IP address, domain name, URL, registry …
Read more Career PathThreat Hunters do not wait for alerts. You develop hypotheses based on threat intelligence and adversary behavior models…
Read more Career PathDetection Engineers build the rules, analytics, and automated workflows that determine what the SOC can see. You transla…
Read more ToolThe SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ToolThe XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…
Read more ComparisonSOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…
Read more GlossaryComplete glossary of Security Operations Center terminology for aspiring SOC analysts.
Read more FeaturePractice alert triage under realistic time pressure with SLA timers and noise injection.
Read moreWe use cookies to improve your experience and measure usage. Learn more