T1098 Defined ATT&CK T1098 ↗

Account Manipulation

Process Modify UserAccount — Modify properties of an existing user account to maintain access or escalate privilege.

Ontological Definition

ActorProcess

→

ActionModify

→

ArtifactUserAccount

Detect

STP 5

The actor.user.name + user.name + activity_id triple is technique-defining and platform-agnostic. Detecting unexpected account modifications (MFA factor additions, group membership changes outside change windows) is STP 5 regardless of IdP.

Gate on

activity_id = Update

Generate EDE-specific sub-techniques per identity platform (T1098.entra, T1098.okta, T1098.aws-iam). Prioritise detecting MFA manipulation and privilege group membership changes.

Mitigate

STP 3

MFA and break-glass approval workflows raise the cost of account modification across all identity platforms but do not prevent the technique for an attacker who already holds an authenticated privileged session.

No STP 5 mitigation exists. Detection is the primary defensive lever.

Enforce Privileged Identity Management (PIM) or equivalent just-in-time access controls for account modification rights across all identity platforms.

Respond

Modified

An existing artifact was changed and remains in use in its altered state. Revert or restore from backup. Investigate all actions taken using the modified permissions or configuration.

Attacker foothold

Modifying Processactor.process

Admin Accountactor.user

D3FEND response actions

d3f:ProcessTerminationd3f:AccountLockingd3f:CredentialRevokingd3f:NetworkIsolation

OCSF event model▼

Event class: Account Change Activity (3001) · activity_id: Update

attacker-controlledpost-successvictimtainted

%%{init: {"theme": "dark", "themeVariables": {"edgeLabelBackground": "#18181b", "lineColor": "#52525b"}}}%%
graph TD
  classDef attacker fill:#7c2d12,stroke:#ea580c,color:#fed7aa
  classDef victim fill:#1e3a5f,stroke:#3b82f6,color:#bfdbfe
  classDef postSuccess fill:#78350f,stroke:#d97706,color:#fde68a
  classDef tainted fill:#18181b,stroke:#52525b,color:#a1a1aa

  EVENT(["Account Change Activity\n· Update"])

  actor_process["Modifying Process\nactor.process\nd3f:Process"]:::attacker
  actor_user["Admin Account\nactor.user\nd3f:UserAccount"]:::attacker
  target_account["Target Account\nuser\nd3f:UserAccount"]:::victim
  device["Host\ndevice\nd3f:Host\n⚠ tainted"]:::tainted

  EVENT --> actor_process
  actor_process --> actor_user
  EVENT --> target_account
  EVENT --> device

  actor_process -.->|"modifies"| target_account

Modifying Process

actor.process·d3f:Process

attacker-controlled

actor.process.file.path attacker_controlled Tool or client performing the change — Execution Medium, attacker-chosen

Countermeasures

d3f:ProcessTermination

Admin Account

actor.user·d3f:UserAccount

attacker-controlled

actor.user.name attacker_controlled Compromised admin account used — attacker-chosen from available credentials

Countermeasures

d3f:AccountLockingd3f:CredentialRevoking

Target Account

user·d3f:UserAccount

victim

user.name variable Account being modified — victim-side, value varies

Countermeasures

d3f:AccountLocking

Host

device·d3f:Host

tainted

Countermeasures

d3f:NetworkIsolation

Definitional Sigma rule▼

Broad by design — defines the technique, not an operational alert. Gate on variable or attacker-controlled field conditions to narrow for production use.

title: Account Manipulation (T1098)
status: experimental
description: >
  Definitional rule — broad by design. Defines the technique independent of
  medium, tool, or attacker-controlled variables. Narrow with variable and
  attacker-controlled field conditions for operational use.
logsource:
  product: ocsf
  category: Account Change Activity (3001)
detection:
  selection:
    activity_id: 'Update'
  condition: selection

title: Account Manipulation (T1098) — native Sigma
status: experimental
description: >
  Generated from OCSF definitional rule. Broad by design — defines the technique,
  not an operational alert. Targets standard Windows/Sysmon telemetry.
logsource:
  product: windows
  service: security
detection:
  # Account Change Activity maps to multiple Windows Security EventIDs (account created, enabled, password reset, group membership changes).
  selection:
    EventID:
      - 4720
      - 4722
      - 4724
      - 4728
      - 4732
      - 4738
      - 4756
  condition: selection

Environment-dependent entities▼

Generate org-specific sub-techniques using T1098.<platform>

Directory Service

On-premises identity and directory services

Active DirectoryOpenLDAPFreeIPA

Cloud Identity Provider

Cloud-hosted identity and access management platforms

Entra ID (Azure AD)OktaPing IdentityGoogle Workspace

Cloud Service Provider IAM

Native IAM systems for cloud platforms

AWS IAMGCP IAMAzure RBAC

SaaS Application

Application-local user management

GitHub OrganisationsSalesforceServiceNow

Seen in the wild1report▼

Kali365 PhaaS Expands to 126 Hosts, Targeting Okta, AWS, and Russian Platforms ↗

Arctic Wolf·2026-06-07

OAuth device code flow grants the attacker's registered application persistent M365 access and refresh tokens — the victim's account is modified to carry an attacker-controlled OAuth grant without any password compromise.