T1098 Account Manipulation Mappings

Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.

In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged Valid Accounts.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1098 Account Manipulation
AC-3 Access Enforcement Protects T1098 Account Manipulation
AC-4 Information Flow Enforcement Protects T1098 Account Manipulation
AC-5 Separation of Duties Protects T1098 Account Manipulation
AC-6 Least Privilege Protects T1098 Account Manipulation
CM-5 Access Restrictions for Change Protects T1098 Account Manipulation
CM-6 Configuration Settings Protects T1098 Account Manipulation
CM-7 Least Functionality Protects T1098 Account Manipulation
IA-2 Identification and Authentication (organizational Users) Protects T1098 Account Manipulation
SC-46 Cross Domain Policy Enforcement Protects T1098 Account Manipulation
SC-7 Boundary Protection Protects T1098 Account Manipulation
SI-4 System Monitoring Protects T1098 Account Manipulation
action.hacking.variety.Backdoor Hacking action that creates a backdoor for use. related-to T1098 Account Manipulation
action.hacking.vector.Backdoor Hacking actions taken through a backdoor. C2 is only used by malware. related-to T1098 Account Manipulation
action.malware.variety.Backdoor Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'. related-to T1098 Account Manipulation
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1098 Account Manipulation
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1098 Account Manipulation

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1098.003 Additional Cloud Roles 12
T1098.004 SSH Authorized Keys 16
T1098.005 Device Registration 7
T1098.001 Additional Cloud Credentials 16
T1098.002 Additional Email Delegate Permissions 12