Esc
Account Manipulation - T1098
(ATT&CK® Technique)
Definition
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1098["Account Manipulation"] --> |creates| Credential["Credential"]; class T1098 OffensiveTechniqueNode;
class Credential ArtifactNode; click Credential href "/dao/artifact/d3f:Credential";
click T1098 href "/offensive-technique/attack/T1098/"; click Credential href "/dao/artifact/d3f:Credential"; T1098["Account Manipulation"] --> |modifies| UserAccount["User Account"]; class T1098 OffensiveTechniqueNode;
class UserAccount ArtifactNode; click UserAccount href "/dao/artifact/d3f:UserAccount";
click T1098 href "/offensive-technique/attack/T1098/"; click UserAccount href "/dao/artifact/d3f:UserAccount"; T1098["Account Manipulation"] --> |modifies| DomainUserAccount["Domain User Account"]; class T1098 OffensiveTechniqueNode;
class DomainUserAccount ArtifactNode; click DomainUserAccount href "/dao/artifact/d3f:DomainUserAccount";
click T1098 href "/offensive-technique/attack/T1098/"; click DomainUserAccount href "/dao/artifact/d3f:DomainUserAccount"; T1098["Account Manipulation"] --> |modifies| GlobalUserAccount["Global User Account"]; class T1098 OffensiveTechniqueNode;
class GlobalUserAccount ArtifactNode; click GlobalUserAccount href "/dao/artifact/d3f:GlobalUserAccount";
click T1098 href "/offensive-technique/attack/T1098/"; click GlobalUserAccount href "/dao/artifact/d3f:GlobalUserAccount"; T1098["Account Manipulation"] --> |produces| IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; class T1098 OffensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic";
click T1098 href "/offensive-technique/attack/T1098/"; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1098["Account Manipulation"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1098["Account Manipulation"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; ConnectionAttemptAnalysis["Connection Attempt Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
ConnectionAttemptAnalysis["Connection Attempt Analysis"] -.->
| may-detect | T1098["Account Manipulation"] ;
class ConnectionAttemptAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click ConnectionAttemptAnalysis href "/technique/d3f:ConnectionAttemptAnalysis"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1098["Account Manipulation"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1098["Account Manipulation"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1098["Account Manipulation"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1098["Account Manipulation"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; AdministrativeNetworkActivityAnalysis["Administrative Network Activity Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
AdministrativeNetworkActivityAnalysis["Administrative Network Activity Analysis"] -.->
| may-detect | T1098["Account Manipulation"] ;
class AdministrativeNetworkActivityAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click AdministrativeNetworkActivityAnalysis href "/technique/d3f:AdministrativeNetworkActivityAnalysis"; DecoyUserCredential["Decoy User Credential"] -->
| spoofs | Credential["Credential"];
DecoyUserCredential["Decoy User Credential"] -.->
| may-deceive | T1098["Account Manipulation"] ;
class DecoyUserCredential DefensiveTechniqueNode;
class Credential ArtifactNode;
click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; DomainAccountMonitoring["Domain Account Monitoring"] -->
| monitors | DomainUserAccount["Domain User Account"];
DomainAccountMonitoring["Domain Account Monitoring"] -.->
| may-detect | T1098["Account Manipulation"] ;
class DomainAccountMonitoring DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click DomainAccountMonitoring href "/technique/d3f:DomainAccountMonitoring"; DomainAccountMonitoring["Domain Account Monitoring"] -->
| monitors | GlobalUserAccount["Global User Account"];
class DomainAccountMonitoring DefensiveTechniqueNode;
class GlobalUserAccount ArtifactNode;
click DomainAccountMonitoring href "/technique/d3f:DomainAccountMonitoring"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1098["Account Manipulation"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
| analyzes | Credential["Credential"];
CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
| may-detect | T1098["Account Manipulation"] ;
class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
class Credential ArtifactNode;
click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis"; AccountLocking["Account Locking"] -->
| disables | UserAccount["User Account"];
AccountLocking["Account Locking"] -.->
| may-evict | T1098["Account Manipulation"] ;
class AccountLocking DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click AccountLocking href "/technique/d3f:AccountLocking"; AccountLocking["Account Locking"] -->
| disables | DomainUserAccount["Domain User Account"];
class AccountLocking DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click AccountLocking href "/technique/d3f:AccountLocking"; AccountLocking["Account Locking"] -->
| disables | GlobalUserAccount["Global User Account"];
class AccountLocking DefensiveTechniqueNode;
class GlobalUserAccount ArtifactNode;
click AccountLocking href "/technique/d3f:AccountLocking"; CredentialRevocation["Credential Revocation"] -->
| deletes | Credential["Credential"];
CredentialRevocation["Credential Revocation"] -.->
| may-evict | T1098["Account Manipulation"] ;
class CredentialRevocation DefensiveTechniqueNode;
class Credential ArtifactNode;
click CredentialRevocation href "/technique/d3f:CredentialRevocation"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
| deletes | Credential["Credential"];
AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
| may-evict | T1098["Account Manipulation"] ;
class AuthenticationCacheInvalidation DefensiveTechniqueNode;
class Credential ArtifactNode;
click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; CredentialRotation["Credential Rotation"] -->
| regenerates | Credential["Credential"];
CredentialRotation["Credential Rotation"] -.->
| may-harden | T1098["Account Manipulation"] ;
class CredentialRotation DefensiveTechniqueNode;
class Credential ArtifactNode;
click CredentialRotation href "/technique/d3f:CredentialRotation"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| uses | Credential["Credential"];
Multi-factorAuthentication["Multi-factor Authentication"] -.->
| may-harden | T1098["Account Manipulation"] ;
class Multi-factorAuthentication DefensiveTechniqueNode;
class Credential ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; CredentialTransmissionScoping["Credential Transmission Scoping"] -->
| isolates | Credential["Credential"];
CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
| may-isolate | T1098["Account Manipulation"] ;
class CredentialTransmissionScoping DefensiveTechniqueNode;
class Credential ArtifactNode;
click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; UserAccountPermissions["User Account Permissions"] -->
| restricts | UserAccount["User Account"];
UserAccountPermissions["User Account Permissions"] -.->
| may-isolate | T1098["Account Manipulation"] ;
class UserAccountPermissions DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; UserAccountPermissions["User Account Permissions"] -->
| restricts | DomainUserAccount["Domain User Account"];
class UserAccountPermissions DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; UserAccountPermissions["User Account Permissions"] -->
| restricts | GlobalUserAccount["Global User Account"];
class UserAccountPermissions DefensiveTechniqueNode;
class GlobalUserAccount ArtifactNode;
click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1098["Account Manipulation"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; RestoreUserAccountAccess["Restore User Account Access"] -->
| restores | GlobalUserAccount["Global User Account"];
RestoreUserAccountAccess["Restore User Account Access"] -.->
| may-restore | T1098["Account Manipulation"] ;
class RestoreUserAccountAccess DefensiveTechniqueNode;
class GlobalUserAccount ArtifactNode;
click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; ReissueCredential["Reissue Credential"] -->
| restores | Credential["Credential"];
ReissueCredential["Reissue Credential"] -.->
| may-restore | T1098["Account Manipulation"] ;
class ReissueCredential DefensiveTechniqueNode;
class Credential ArtifactNode;
click ReissueCredential href "/technique/d3f:ReissueCredential"; RestoreUserAccountAccess["Restore User Account Access"] -->
| restores | UserAccount["User Account"];
class RestoreUserAccountAccess DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; RestoreUserAccountAccess["Restore User Account Access"] -->
| restores | DomainUserAccount["Domain User Account"];
class RestoreUserAccountAccess DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; AgentAuthentication["Agent Authentication"] -->
| strengthens | UserAccount["User Account"];
AgentAuthentication["Agent Authentication"] -.->
| may-harden | T1098["Account Manipulation"] ;
class AgentAuthentication DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click AgentAuthentication href "/technique/d3f:AgentAuthentication"; AgentAuthentication["Agent Authentication"] -->
| strengthens | DomainUserAccount["Domain User Account"];
class AgentAuthentication DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click AgentAuthentication href "/technique/d3f:AgentAuthentication"; AgentAuthentication["Agent Authentication"] -->
| strengthens | GlobalUserAccount["Global User Account"];
class AgentAuthentication DefensiveTechniqueNode;
class GlobalUserAccount ArtifactNode;
click AgentAuthentication href "/technique/d3f:AgentAuthentication"; CredentialHardening["Credential Hardening"] -->
| hardens | Credential["Credential"];
CredentialHardening["Credential Hardening"] -.->
| may-harden | T1098["Account Manipulation"] ;
class CredentialHardening DefensiveTechniqueNode;
class Credential ArtifactNode;
click CredentialHardening href "/technique/d3f:CredentialHardening"; UnlockAccount["Unlock Account"] -->
| restores | UserAccount["User Account"];
UnlockAccount["Unlock Account"] -.->
| may-restore | T1098["Account Manipulation"] ;
class UnlockAccount DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click UnlockAccount href "/technique/d3f:UnlockAccount"; UnlockAccount["Unlock Account"] -->
| restores | DomainUserAccount["Domain User Account"];
class UnlockAccount DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click UnlockAccount href "/technique/d3f:UnlockAccount"; UnlockAccount["Unlock Account"] -->
| restores | GlobalUserAccount["Global User Account"];
class UnlockAccount DefensiveTechniqueNode;
class GlobalUserAccount ArtifactNode;
click UnlockAccount href "/technique/d3f:UnlockAccount";