Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.[1] These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.
In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged Valid Accounts.
| ID | Name | Description |
|---|---|---|
| C0025 | 2016 Ukraine Electric Power Attack |
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the |
| S0274 | Calisto | |
| G0125 | HAFNIUM |
HAFNIUM has granted privileges to domain accounts and reset the password for default admin accounts.[4][5] |
| G0032 | Lazarus Group |
Lazarus Group malware WhiskeyDelta-Two contains a function that attempts to rename the administrator’s account.[6][7] |
| S0002 | Mimikatz |
The Mimikatz credential dumper has been extended to include Skeleton Key domain controller authentication bypass functionality. The |
| G1015 | Scattered Spider |
Scattered Spider has added accounts to the ESX Admins group to grant them full admin rights in vSphere.[10] |
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program |
Remove unnecessary and potentially abusable authentication and authorization mechanisms where possible. |
| M1032 | Multi-factor Authentication |
Use multi-factor authentication for user and privileged accounts. |
| M1030 | Network Segmentation |
Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems. |
| M1028 | Operating System Configuration |
Protect domain controllers by ensuring proper security configuration for critical servers to limit access by potentially unnecessary protocols and services, such as SMB file sharing. |
| M1026 | Privileged Account Management |
Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems. |
| M1022 | Restrict File and Directory Permissions |
Restrict access to potentially sensitive files that deal with authentication and/or authorization. |
| M1018 | User Account Management |
Ensure that low-privileged user accounts do not have permissions to modify accounts or account-related policies. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0096 | Account Manipulation Behavior Chain Detection | AN0265 |
Account attribute changes (e.g., password set, group membership, servicePrincipalName, logon hours) correlated with unusual process lineage or timing, indicating privilege escalation or persistence via valid accounts. |
| AN0266 |
Use of native tools or scripting (e.g., |
||
| AN0267 |
Modifications to user accounts via |
||
| AN0268 |
Modifications to SSO/SAML user attributes (e.g., |
||
| AN0269 |
Addition of new users or changes to role permissions (e.g., ReadOnly -> Admin) via API or vSphere Client, particularly from non-jumpbox IPs. |
||
| AN0270 |
Role escalation (e.g., Editor → Owner) in cloud collaboration tools (Google Workspace, O365) or file sharing apps to maintain elevated access. |