1. Home
  2. ATT&CK Techniques
  3. T1098 Account Manipulation

T1098 Account Manipulation Mappings

Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1098 Account Manipulation
AC-3 Access Enforcement Protects T1098 Account Manipulation
AC-4 Information Flow Enforcement Protects T1098 Account Manipulation
AC-5 Separation of Duties Protects T1098 Account Manipulation
AC-6 Least Privilege Protects T1098 Account Manipulation
CM-5 Access Restrictions for Change Protects T1098 Account Manipulation
CM-6 Configuration Settings Protects T1098 Account Manipulation
CM-7 Least Functionality Protects T1098 Account Manipulation
IA-2 Identification and Authentication (organizational Users) Protects T1098 Account Manipulation
SC-46 Cross Domain Policy Enforcement Protects T1098 Account Manipulation
SC-7 Boundary Protection Protects T1098 Account Manipulation
SI-4 System Monitoring Protects T1098 Account Manipulation
CVE-2019-15956 Cisco Web Security Appliance (WSA) primary_impact T1098 Account Manipulation
CVE-2019-1915 Cisco Unified Communications Manager secondary_impact T1098 Account Manipulation
CVE-2019-3775 UAA Release (OSS) primary_impact T1098 Account Manipulation
CVE-2019-3787 UAA Release (OSS) secondary_impact T1098 Account Manipulation
CVE-2020-5362 Dell Client Consumer and Commercial platforms secondary_impact T1098 Account Manipulation
CVE-2019-3782 CredHub CLI secondary_impact T1098 Account Manipulation
CVE-2020-5350 Integrated Data Protection Appliance secondary_impact T1098 Account Manipulation
CVE-2020-0758 Team Foundation Server 2018 exploitation_technique T1098 Account Manipulation
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1098 Account Manipulation
action.malware.variety.Backdoor Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' related-to T1098 Account Manipulation
attribute.integrity.variety.Modify privileges Modified privileges or permissions related-to T1098 Account Manipulation
aws_config AWS Config technique_scores T1098 Account Manipulation
amazon_guardduty Amazon GuardDuty technique_scores T1098 Account Manipulation
aws_security_hub AWS Security Hub technique_scores T1098 Account Manipulation
aws_identity_and_access_management AWS Identity and Access Management technique_scores T1098 Account Manipulation

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1098.003 Add Office 365 Global Administrator Role 12
T1098.001 Additional Cloud Credentials 20
T1098.002 Exchange Email Delegate Permissions 12
T1098.004 SSH Authorized Keys 11