Home
ATT&CK Techniques
T1098 Account Manipulation

T1098 Account Manipulation Mappings

Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.

In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged Valid Accounts.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
AC-2	Account Management	Protects	T1098	Account Manipulation
AC-3	Access Enforcement	Protects	T1098	Account Manipulation
AC-4	Information Flow Enforcement	Protects	T1098	Account Manipulation
AC-5	Separation of Duties	Protects	T1098	Account Manipulation
AC-6	Least Privilege	Protects	T1098	Account Manipulation
CM-5	Access Restrictions for Change	Protects	T1098	Account Manipulation
CM-6	Configuration Settings	Protects	T1098	Account Manipulation
CM-7	Least Functionality	Protects	T1098	Account Manipulation
IA-2	Identification and Authentication (organizational Users)	Protects	T1098	Account Manipulation
SC-46	Cross Domain Policy Enforcement	Protects	T1098	Account Manipulation
SC-7	Boundary Protection	Protects	T1098	Account Manipulation
SI-4	System Monitoring	Protects	T1098	Account Manipulation

VERIS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
action.hacking.variety.Backdoor	Hacking action that creates a backdoor for use.	related-to	T1098	Account Manipulation
action.hacking.vector.Backdoor	Hacking actions taken through a backdoor. C2 is only used by malware.	related-to	T1098	Account Manipulation
action.malware.variety.Backdoor	Malware creates a backdoor capability for hacking. Child of 'RAT' when combined with 'Trojan'. Child of 'Backdoor or C2'.	related-to	T1098	Account Manipulation
action.malware.variety.Backdoor or C2	Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'.	related-to	T1098	Account Manipulation
attribute.integrity.variety.Modify privileges	Modified privileges or permissions	related-to	T1098	Account Manipulation

ATT&CK Subtechniques

Technique ID	Technique Name	Number of Mappings
T1098.003	Additional Cloud Roles	12
T1098.004	SSH Authorized Keys	16
T1098.005	Device Registration	7
T1098.001	Additional Cloud Credentials	16
T1098.002	Additional Email Delegate Permissions	12