User Account Modification

Changes made to an existing user, service, or machine account, including alterations to attributes, permissions, roles, authentication methods, or group memberships.

Data Collection Measures:

Host-Based Logging
- Windows Event Logs
  - Event ID 4738 – A user account was changed.
  - Event ID 4725 – A user account was disabled.
  - Event ID 4724 – An attempt was made to reset an account's password.
  - Event ID 4767 – A user account was unlocked.
- Linux/macOS Authentication Logs
  - /var/log/auth.log, /var/log/secure – Tracks account modifications (usermod, chage, passwd).
  - AuditD – Monitors account changes (useradd, usermod, gpasswd).
  - OSQuery – Queries the users table for recent modifications.
Cloud-Based Logging
- Azure AD Logs
  - Azure AD Audit Logs – Tracks modifications to users and security groups.
  - Azure Graph API – Captures changes to authentication policies and MFA settings.
- AWS IAM & CloudTrail Logs
  - ModifyUser, UpdateLoginProfile – Captures changes to IAM user attributes.
  - AttachUserPolicy, AddUserToGroup – Detects policy and group modifications.
- Google Workspace & Office 365 Logs
  - Google Admin Console – Logs account changes, role modifications, and group membership updates.
  - Microsoft 365 Unified Audit Log – Captures modifications to security settings and privileged account changes.
Container & Network Account Modification Logs
- Kubernetes Service Account Changes
  - kubectl audit logs – Detects service account modifications in Kubernetes clusters.
  - GKE/Azure AKS Logs – Monitors role and permission changes.

ID: DC0010

Domains: Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 21 October 2025

Log Sources

Name	Channel
auditd:SYSCALL	usermod, groupmod, passwd
auditd:SYSCALL	SYSCALL for usermod or /etc/group file modification
auditd:SYSCALL	usermod, or account rename system calls
AWS:CloudTrail	UpdateLoginProfile
AWS:CloudTrail	AttachUserPolicy, CreatePolicyVersion, PutRolePolicy
AWS:CloudTrail	AttachUserPolicy
AWS:CloudTrail	CreateAccessKey
AWS:CloudTrail	role privilege expansion detected
azure:audit	Operation IN ("Add device", "Add registered users to device", "Add registered owner to device")
azure:audit	Add member to role
azure:audit	Rename user
azure:audit	Add service principal credentials, app password added, app role assignment
azure:policy	DisableMfaPolicy or change to ConditionalAccess rules
azure:signinLogs	unusual role assumption or elevation path
gcp:audit	Admin Activity > Role Change or Sharing Change
gcp:audit	google.iam.admin.v1.RoleAssignment
gcp:audit	Set Gmail Delegation
gcp:audit	iam.serviceAccounts.keys.create, os-login.sshPublicKeys.add
gcp:audit	API Key Created, OAuth Client Registered
kubernetes:audit	create or update events for RoleBinding or ClusterRoleBinding objects
linux:syslog	sudo or su access prior to content change
m365:audit	Add member to role, Add app role assignment
m365:unified	Admin Activity > Role Change or Sharing Change
m365:unified	Set-ADUser OR Set-ADAccountControl
m365:unified	User excluded from MFA or MFA method registered
m365:unified	Add member to role, Set-Mailbox
m365:unified	Set-MailboxAuditBypassAssociation or disabling Advanced Auditing
m365:unified	New agent registration by non-admin user
m365:unified	Add-MailboxPermission, UpdateFolderPermissions
m365:unified	Set-Mailbox, Set-InboxRule, Set-MailboxFolderPermission
macos:unifiedlog	com.apple.accountsd, com.apple.opendirectoryd
macos:unifiedlog	Process execution or directory service changes
Okta:SystemLog	user.account.privilege.grant
saas:okta	User Attribute Modified / Role Assignment Changed
saas:okta	user.lifecycle.delete, user.account.lock
saas:okta	admin role granted outside approved workflows
saas:zoom	DisableMFA or RegisterNewFactor
WinEventLog:DirectoryService	EventID 5136
WinEventLog:Security	EventCode=4738, 4728, 4670
WinEventLog:Security	EventCode=4723, 4724, 4726, 4740
WinEventLog:Security	EventCode=4704
WinEventLog:Security	EventCode=4728, 4729, 4732, 4733, 4756, 4757

Detection Strategy

ID	Name	Technique Detected
DET0120	Account Access Removal via Multi-Platform Audit Correlation	T1531
DET0096	Account Manipulation Behavior Chain Detection	T1098
DET0293	Detect Hybrid Identity Authentication Process Modification	T1556.007
DET0072	Detect Logon Script Modifications and Execution	T1037.001
DET0190	Detect MFA Modification or Disabling Across Platforms	T1556.006
DET0104	Detect Modification of Authentication Processes Across Platforms	T1556
DET0398	Detect Office Startup-Based Persistence via Macros, Forms, and Registry Hooks	T1137
DET0305	Detection of Group Policy Modifications via AD Object Changes and File Activity	T1484.001
DET0458	Detection of Trust Relationship Modifications in Domain or Tenant Policies	T1484.002
DET0345	Detection Strategy for Abuse Elevation Control Mechanism (T1548)	T1548
DET0373	Detection Strategy for Addition of Email Delegate Permissions	T1098.002
DET0531	Detection Strategy for Additional Cloud Credentials in IaaS/IdP/SaaS	T1098.001
DET0289	Detection Strategy for Disable or Modify Cloud Logs	T1562.008
DET0317	Detection Strategy for Impair Defenses Across Platforms	T1562
DET0383	Detection Strategy for Masquerading via Account Name Similarity	T1036.010
DET0277	Detection Strategy for Role Addition to Cloud Accounts	T1098.003
DET0583	Detection Strategy for T1136 - Create Account across platforms	T1136
DET0319	Detection Strategy for T1136.003 - Cloud Account Creation across IaaS, IdP, SaaS, Office	T1136.003
DET0082	Internal Website and System Content Defacement via UI or Messaging Modifications	T1491.001
DET0310	Suspicious Addition to Local or Domain Groups	T1098.007
DET0036	Suspicious Device Registration via Entra ID or MFA Platform	T1098.005
DET0572	Suspicious RoleBinding or ClusterRoleBinding Assignment in Kubernetes	T1098.006