Esc
Account Manipulation - T1098
(ATT&CK® Technique)
Definition
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1098["Account Manipulation"] --> |creates| Credential["Credential"]; class T1098 OffensiveTechniqueNode;
class Credential ArtifactNode; click Credential href "/dao/artifact/d3f:Credential";
click T1098 href "/offensive-technique/attack/T1098/"; click Credential href "/dao/artifact/d3f:Credential"; T1098["Account Manipulation"] --> |modifies| UserAccount["User Account"]; class T1098 OffensiveTechniqueNode;
class UserAccount ArtifactNode; click UserAccount href "/dao/artifact/d3f:UserAccount";
click T1098 href "/offensive-technique/attack/T1098/"; click UserAccount href "/dao/artifact/d3f:UserAccount"; T1098["Account Manipulation"] --> |modifies| DomainUserAccount["Domain User Account"]; class T1098 OffensiveTechniqueNode;
class DomainUserAccount ArtifactNode; click DomainUserAccount href "/dao/artifact/d3f:DomainUserAccount";
click T1098 href "/offensive-technique/attack/T1098/"; click DomainUserAccount href "/dao/artifact/d3f:DomainUserAccount"; T1098["Account Manipulation"] --> |modifies| GlobalUserAccount["Global User Account"]; class T1098 OffensiveTechniqueNode;
class GlobalUserAccount ArtifactNode; click GlobalUserAccount href "/dao/artifact/d3f:GlobalUserAccount";
click T1098 href "/offensive-technique/attack/T1098/"; click GlobalUserAccount href "/dao/artifact/d3f:GlobalUserAccount"; T1098["Account Manipulation"] --> |produces| IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; class T1098 OffensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic";
click T1098 href "/offensive-technique/attack/T1098/"; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| May Detect | T1098["Account Manipulation"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| May Detect | T1098["Account Manipulation"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; AdministrativeNetworkActivityAnalysis["Administrative Network Activity Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
AdministrativeNetworkActivityAnalysis["Administrative Network Activity Analysis"] -.->
| May Detect | T1098["Account Manipulation"] ;
class AdministrativeNetworkActivityAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click AdministrativeNetworkActivityAnalysis href "/technique/d3f:AdministrativeNetworkActivityAnalysis"; ConnectionAttemptAnalysis["Connection Attempt Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
ConnectionAttemptAnalysis["Connection Attempt Analysis"] -.->
| May Detect | T1098["Account Manipulation"] ;
class ConnectionAttemptAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click ConnectionAttemptAnalysis href "/technique/d3f:ConnectionAttemptAnalysis"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| May Detect | T1098["Account Manipulation"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| May Detect | T1098["Account Manipulation"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| May Detect | T1098["Account Manipulation"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| May Detect | T1098["Account Manipulation"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; CredentialRevocation["Credential Revocation"] -->
| deletes | Credential["Credential"];
CredentialRevocation["Credential Revocation"] -.->
| May Evict | T1098["Account Manipulation"] ;
class CredentialRevocation DefensiveTechniqueNode;
class Credential ArtifactNode;
click CredentialRevocation href "/technique/d3f:CredentialRevocation"; AccountLocking["Account Locking"] -->
| disables | UserAccount["User Account"];
AccountLocking["Account Locking"] -.->
| May Evict | T1098["Account Manipulation"] ;
class AccountLocking DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click AccountLocking href "/technique/d3f:AccountLocking"; AccountLocking["Account Locking"] -->
| disables | DomainUserAccount["Domain User Account"];
class AccountLocking DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click AccountLocking href "/technique/d3f:AccountLocking"; AccountLocking["Account Locking"] -->
| disables | GlobalUserAccount["Global User Account"];
class AccountLocking DefensiveTechniqueNode;
class GlobalUserAccount ArtifactNode;
click AccountLocking href "/technique/d3f:AccountLocking"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| May Detect | T1098["Account Manipulation"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; DomainAccountMonitoring["Domain Account Monitoring"] -->
| monitors | GlobalUserAccount["Global User Account"];
DomainAccountMonitoring["Domain Account Monitoring"] -.->
| May Detect | T1098["Account Manipulation"] ;
class DomainAccountMonitoring DefensiveTechniqueNode;
class GlobalUserAccount ArtifactNode;
click DomainAccountMonitoring href "/technique/d3f:DomainAccountMonitoring"; DomainAccountMonitoring["Domain Account Monitoring"] -->
| monitors | DomainUserAccount["Domain User Account"];
class DomainAccountMonitoring DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click DomainAccountMonitoring href "/technique/d3f:DomainAccountMonitoring"; DecoyUserCredential["Decoy User Credential"] -->
| spoofs | Credential["Credential"];
DecoyUserCredential["Decoy User Credential"] -.->
| May Deceive | T1098["Account Manipulation"] ;
class DecoyUserCredential DefensiveTechniqueNode;
class Credential ArtifactNode;
click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
| analyzes | Credential["Credential"];
CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
| May Detect | T1098["Account Manipulation"] ;
class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
class Credential ArtifactNode;
click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
| deletes | Credential["Credential"];
AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
| May Evict | T1098["Account Manipulation"] ;
class AuthenticationCacheInvalidation DefensiveTechniqueNode;
class Credential ArtifactNode;
click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| authenticates | UserAccount["User Account"];
Multi-factorAuthentication["Multi-factor Authentication"] -.->
| May Harden | T1098["Account Manipulation"] ;
class Multi-factorAuthentication DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| authenticates | DomainUserAccount["Domain User Account"];
class Multi-factorAuthentication DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| authenticates | GlobalUserAccount["Global User Account"];
class Multi-factorAuthentication DefensiveTechniqueNode;
class GlobalUserAccount ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; CredentialRotation["Credential Rotation"] -->
| regenerates | Credential["Credential"];
CredentialRotation["Credential Rotation"] -.->
| May Harden | T1098["Account Manipulation"] ;
class CredentialRotation DefensiveTechniqueNode;
class Credential ArtifactNode;
click CredentialRotation href "/technique/d3f:CredentialRotation"; BiometricAuthentication["Biometric Authentication"] -->
| authenticates | GlobalUserAccount["Global User Account"];
BiometricAuthentication["Biometric Authentication"] -.->
| May Harden | T1098["Account Manipulation"] ;
class BiometricAuthentication DefensiveTechniqueNode;
class GlobalUserAccount ArtifactNode;
click BiometricAuthentication href "/technique/d3f:BiometricAuthentication"; BiometricAuthentication["Biometric Authentication"] -->
| authenticates | UserAccount["User Account"];
class BiometricAuthentication DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click BiometricAuthentication href "/technique/d3f:BiometricAuthentication"; BiometricAuthentication["Biometric Authentication"] -->
| authenticates | DomainUserAccount["Domain User Account"];
class BiometricAuthentication DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click BiometricAuthentication href "/technique/d3f:BiometricAuthentication"; StrongPasswordPolicy["Strong Password Policy"] -->
| strengthens | UserAccount["User Account"];
StrongPasswordPolicy["Strong Password Policy"] -.->
| May Harden | T1098["Account Manipulation"] ;
class StrongPasswordPolicy DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click StrongPasswordPolicy href "/technique/d3f:StrongPasswordPolicy"; StrongPasswordPolicy["Strong Password Policy"] -->
| strengthens | DomainUserAccount["Domain User Account"];
class StrongPasswordPolicy DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click StrongPasswordPolicy href "/technique/d3f:StrongPasswordPolicy"; StrongPasswordPolicy["Strong Password Policy"] -->
| strengthens | GlobalUserAccount["Global User Account"];
class StrongPasswordPolicy DefensiveTechniqueNode;
class GlobalUserAccount ArtifactNode;
click StrongPasswordPolicy href "/technique/d3f:StrongPasswordPolicy"; One-timePassword["One-time Password"] -->
| authenticates | GlobalUserAccount["Global User Account"];
One-timePassword["One-time Password"] -.->
| May Harden | T1098["Account Manipulation"] ;
class One-timePassword DefensiveTechniqueNode;
class GlobalUserAccount ArtifactNode;
click One-timePassword href "/technique/d3f:One-timePassword"; UserAccountPermissions["User Account Permissions"] -->
| restricts | UserAccount["User Account"];
UserAccountPermissions["User Account Permissions"] -.->
| May Harden | T1098["Account Manipulation"] ;
class UserAccountPermissions DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; CredentialTransmissionScoping["Credential Transmission Scoping"] -->
| restricts | Credential["Credential"];
CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
| May Harden | T1098["Account Manipulation"] ;
class CredentialTransmissionScoping DefensiveTechniqueNode;
class Credential ArtifactNode;
click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; UserAccountPermissions["User Account Permissions"] -->
| restricts | GlobalUserAccount["Global User Account"];
class UserAccountPermissions DefensiveTechniqueNode;
class GlobalUserAccount ArtifactNode;
click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; UserAccountPermissions["User Account Permissions"] -->
| restricts | DomainUserAccount["Domain User Account"];
class UserAccountPermissions DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click UserAccountPermissions href "/technique/d3f:UserAccountPermissions"; One-timePassword["One-time Password"] -->
| authenticates | UserAccount["User Account"];
class One-timePassword DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click One-timePassword href "/technique/d3f:One-timePassword"; One-timePassword["One-time Password"] -->
| authenticates | DomainUserAccount["Domain User Account"];
class One-timePassword DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click One-timePassword href "/technique/d3f:One-timePassword"; RestoreUserAccountAccess["Restore User Account Access"] -->
| restores | UserAccount["User Account"];
RestoreUserAccountAccess["Restore User Account Access"] -.->
| May Restore | T1098["Account Manipulation"] ;
class RestoreUserAccountAccess DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; RestoreUserAccountAccess["Restore User Account Access"] -->
| restores | DomainUserAccount["Domain User Account"];
class RestoreUserAccountAccess DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; RestoreUserAccountAccess["Restore User Account Access"] -->
| restores | GlobalUserAccount["Global User Account"];
class RestoreUserAccountAccess DefensiveTechniqueNode;
class GlobalUserAccount ArtifactNode;
click RestoreUserAccountAccess href "/technique/d3f:RestoreUserAccountAccess"; ReissueCredential["Reissue Credential"] -->
| restores | Credential["Credential"];
ReissueCredential["Reissue Credential"] -.->
| May Restore | T1098["Account Manipulation"] ;
class ReissueCredential DefensiveTechniqueNode;
class Credential ArtifactNode;
click ReissueCredential href "/technique/d3f:ReissueCredential"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| May Isolate | T1098["Account Manipulation"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class IntranetAdministrativeNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; UnlockAccount["Unlock Account"] -->
| restores | GlobalUserAccount["Global User Account"];
UnlockAccount["Unlock Account"] -.->
| May Restore | T1098["Account Manipulation"] ;
class UnlockAccount DefensiveTechniqueNode;
class GlobalUserAccount ArtifactNode;
click UnlockAccount href "/technique/d3f:UnlockAccount"; UnlockAccount["Unlock Account"] -->
| restores | UserAccount["User Account"];
class UnlockAccount DefensiveTechniqueNode;
class UserAccount ArtifactNode;
click UnlockAccount href "/technique/d3f:UnlockAccount"; UnlockAccount["Unlock Account"] -->
| restores | DomainUserAccount["Domain User Account"];
class UnlockAccount DefensiveTechniqueNode;
class DomainUserAccount ArtifactNode;
click UnlockAccount href "/technique/d3f:UnlockAccount";