Which SIEM platforms have a T1098 detection rule?

df00tech provides T1098 (Account Manipulation) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1098 detection?

The T1098 detection is rated high severity with high confidence.

What are common false positives for T1098?

Common false positives for T1098 include: IT administrators performing legitimate account provisioning or group membership changes during onboarding or role transitions; Automated identity management systems (SailPoint, Saviynt, AD Connect) performing scheduled sync operations that generate bulk account modification events; Help desk staff performing password resets or account unlock operations which generate 4738 events.

T1098

Account Manipulation

Q: What data sources are required to detect Account Manipulation (T1098)?

Detecting Account Manipulation requires the following data sources: User Account: User Account Modification, Active Directory: Active Directory Object Modification, Windows Security Event Log.

Persistence Privilege Escalation Last updated: April 13, 2026

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. Account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged Valid Accounts.

What is T1098 Account Manipulation?

Account Manipulation (T1098) maps to the Persistence and Privilege Escalation tactics — the adversary is trying to maintain their foothold in MITRE ATT&CK.

This page provides production-ready detection logic for Account Manipulation, covering the data sources and telemetry it touches: User Account: User Account Modification, Active Directory: Active Directory Object Modification, Windows Security Event Log. The queries below are rated high severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Persistence Privilege Escalation
Technique: T1098 Account Manipulation
Canonical reference: https://attack.mitre.org/techniques/T1098/

Microsoft Sentinel / Defender

kusto

// T1098 — Account Manipulation: Detects suspicious account property changes, privilege assignments, and group membership modifications
let SensitiveGroups = dynamic(["Domain Admins", "Enterprise Admins", "Schema Admins", "Administrators", "Account Operators", "Backup Operators", "Print Operators", "Server Operators", "Group Policy Creator Owners", "Remote Management Users", "ESX Admins"]);
let LookbackWindow = 1d;
union
(
    // 4738 - User account changed (password reset, UserAccountControl changes, etc.)
    SecurityEvent
    | where TimeGenerated > ago(LookbackWindow)
    | where EventID == 4738
    | extend TargetAccount = TargetUserName, ChangedBy = SubjectUserName
    | extend AccountDomain = TargetDomainName
    | extend ChangeType = "UserAccountModified"
    | project TimeGenerated, EventID, TargetAccount, ChangedBy, AccountDomain, ChangeType, Computer, _SubscriptionId
),
(
    // 4670 - Account permissions changed
    SecurityEvent
    | where TimeGenerated > ago(LookbackWindow)
    | where EventID == 4670
    | extend TargetAccount = TargetUserName, ChangedBy = SubjectUserName
    | extend AccountDomain = TargetDomainName
    | extend ChangeType = "PermissionsChanged"
    | project TimeGenerated, EventID, TargetAccount, ChangedBy, AccountDomain, ChangeType, Computer, _SubscriptionId
),
(
    // 4732 - Member added to security-enabled local group
    SecurityEvent
    | where TimeGenerated > ago(LookbackWindow)
    | where EventID == 4732
    | extend TargetAccount = MemberName, ChangedBy = SubjectUserName
    | extend GroupName = TargetUserName
    | extend AccountDomain = TargetDomainName
    | extend ChangeType = strcat("AddedToGroup:", GroupName)
    | where GroupName in~ (SensitiveGroups)
    | project TimeGenerated, EventID, TargetAccount, ChangedBy, AccountDomain, ChangeType, Computer, _SubscriptionId
),
(
    // 4728 - Member added to security-enabled global group
    SecurityEvent
    | where TimeGenerated > ago(LookbackWindow)
    | where EventID == 4728
    | extend TargetAccount = MemberName, ChangedBy = SubjectUserName
    | extend GroupName = TargetUserName
    | extend AccountDomain = TargetDomainName
    | extend ChangeType = strcat("AddedToGlobalGroup:", GroupName)
    | where GroupName in~ (SensitiveGroups)
    | project TimeGenerated, EventID, TargetAccount, ChangedBy, AccountDomain, ChangeType, Computer, _SubscriptionId
),
(
    // 4756 - Member added to security-enabled universal group
    SecurityEvent
    | where TimeGenerated > ago(LookbackWindow)
    | where EventID == 4756
    | extend TargetAccount = MemberName, ChangedBy = SubjectUserName
    | extend GroupName = TargetUserName
    | extend AccountDomain = TargetDomainName
    | extend ChangeType = strcat("AddedToUniversalGroup:", GroupName)
    | where GroupName in~ (SensitiveGroups)
    | project TimeGenerated, EventID, TargetAccount, ChangedBy, AccountDomain, ChangeType, Computer, _SubscriptionId
),
(
    // 4648 - Logon using explicit credentials after account change (potential Skeleton Key)
    SecurityEvent
    | where TimeGenerated > ago(LookbackWindow)
    | where EventID == 4648
    | extend TargetAccount = TargetUserName, ChangedBy = SubjectUserName
    | extend AccountDomain = TargetDomainName
    | extend ChangeType = "ExplicitCredentialLogon"
    | where SubjectUserName != TargetUserName
    | project TimeGenerated, EventID, TargetAccount, ChangedBy, AccountDomain, ChangeType, Computer, _SubscriptionId
)
| summarize EventCount=count(), EventTypes=make_set(ChangeType), AffectedAccounts=make_set(TargetAccount), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by ChangedBy, Computer
| where EventCount >= 1
| extend RiskScore = case(
    EventCount >= 10, "High",
    EventCount >= 3, "Medium",
    "Low"
  )
| sort by EventCount desc

Detects account manipulation activity across Windows domain environments using Security event log data. Monitors for user account property changes (EventID 4738), permission modifications (EventID 4670), and membership additions to sensitive groups including Domain Admins, Enterprise Admins, Administrators, and ESX Admins (EventIDs 4732, 4728, 4756). Also captures explicit credential logon events (EventID 4648) that may indicate Skeleton Key or pass-the-hash activity following account compromise. Results are aggregated by actor and computer with a risk score based on activity volume.

high severity high confidence

Data Sources

User Account: User Account Modification Active Directory: Active Directory Object Modification Windows Security Event Log

Required Tables

SecurityEvent

False Positives

IT administrators performing legitimate account provisioning or group membership changes during onboarding or role transitions
Automated identity management systems (SailPoint, Saviynt, AD Connect) performing scheduled sync operations that generate bulk account modification events
Help desk staff performing password resets or account unlock operations which generate 4738 events
Group Policy or SCCM deployments that modify local group membership across endpoints as part of standard configuration management
Scheduled account maintenance scripts that iterate through stale accounts and modify their properties

Splunk

spl

index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4738 OR EventCode=4670 OR EventCode=4732 OR EventCode=4728 OR EventCode=4756 OR EventCode=4735 OR EventCode=4648)
| eval ChangeType=case(
    EventCode=4738, "UserAccountModified",
    EventCode=4670, "PermissionsChanged",
    EventCode=4732, "AddedToLocalGroup",
    EventCode=4728, "AddedToGlobalGroup",
    EventCode=4756, "AddedToUniversalGroup",
    EventCode=4735, "LocalGroupModified",
    EventCode=4648, "ExplicitCredentialLogon",
    "Unknown"
  )
| eval SensitiveGroup=if(match(lower(coalesce(TargetUserName, Group_Name, "")), "domain admins|enterprise admins|schema admins|administrators|account operators|backup operators|server operators|group policy creator owners|remote management users|esx admins"), 1, 0)
| eval IsHighRisk=if(SensitiveGroup=1 OR EventCode=4670, 1, 0)
| eval ActorAccount=coalesce(SubjectUserName, Subject_Account_Name, "Unknown")
| eval TargetAccount=coalesce(TargetUserName, Target_Account_Name, MemberName, "Unknown")
| eval TargetDomain=coalesce(TargetDomainName, "Unknown")
| where NOT (ActorAccount="-" OR ActorAccount="SYSTEM" OR ActorAccount="LOCAL SERVICE" OR ActorAccount="NETWORK SERVICE")
| stats count as TotalEvents,
        sum(IsHighRisk) as HighRiskCount,
        values(ChangeType) as ChangeTypes,
        values(TargetAccount) as AffectedAccounts,
        earliest(_time) as FirstSeen,
        latest(_time) as LastSeen
        by ActorAccount, host
| eval RiskScore=case(
    HighRiskCount >= 3, "Critical",
    HighRiskCount >= 1, "High",
    TotalEvents >= 10, "Medium",
    "Low"
  )
| where TotalEvents >= 1
| sort - HighRiskCount, - TotalEvents

Detects account manipulation activity using Windows Security event logs. Monitors for user account changes (4738), permission modifications (4670), group membership additions to local/global/universal groups (4732/4728/4756), local group changes (4735), and explicit credential logon events (4648). Flags activity targeting sensitive privileged groups and assigns a risk score based on high-risk event counts. Filters out SYSTEM and service account actors to reduce noise from OS-generated events.

high severity high confidence

Data Sources

User Account: User Account Modification Active Directory: Active Directory Object Modification Windows Security Event Log

Required Sourcetypes

WinEventLog:Security

False Positives

IT administrators performing legitimate account provisioning or group membership changes during onboarding or role transitions
Automated identity management systems (SailPoint, Saviynt, AD Connect) performing scheduled sync operations that generate bulk account modification events
Help desk staff performing password resets or account unlock operations which generate 4738 events
Group Policy or SCCM deployments that modify local group membership across endpoints as part of standard configuration management
Scheduled account maintenance scripts that iterate through stale accounts and modify their properties

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LONG(eventid) AS EventID,
  CASE
    WHEN LONG(eventid) = 4738 THEN 'UserAccountModified'
    WHEN LONG(eventid) = 4670 THEN 'PermissionsChanged'
    WHEN LONG(eventid) = 4732 THEN 'AddedToLocalGroup'
    WHEN LONG(eventid) = 4728 THEN 'AddedToGlobalGroup'
    WHEN LONG(eventid) = 4756 THEN 'AddedToUniversalGroup'
    WHEN LONG(eventid) = 4735 THEN 'LocalGroupModified'
    WHEN LONG(eventid) = 4648 THEN 'ExplicitCredentialLogon'
    ELSE 'Unknown'
  END AS ChangeType,
  username AS ActorAccount,
  "Account_Domain" AS TargetDomain,
  "Target_Account_Name" AS TargetAccount,
  hostname AS SourceHost,
  CATEGORYNAME(category) AS EventCategory,
  LOGSOURCENAME(logsourceid) AS LogSource,
  COUNT(*) OVER (PARTITION BY username, hostname) AS ActorEventCount
FROM events
WHERE
  LOGSOURCETYPEID = 12
  AND LONG(eventid) IN (4738, 4670, 4732, 4728, 4756, 4735, 4648)
  AND username NOT IN ('-', 'SYSTEM', 'LOCAL SERVICE', 'NETWORK SERVICE', 'ANONYMOUS LOGON')
  AND (
    LONG(eventid) IN (4738, 4670, 4648)
    OR (
      LONG(eventid) IN (4732, 4728, 4756, 4735)
      AND (LOWER("Group_Name") LIKE '%domain admins%'
        OR LOWER("Group_Name") LIKE '%enterprise admins%'
        OR LOWER("Group_Name") LIKE '%schema admins%'
        OR LOWER("Group_Name") LIKE '%administrators%'
        OR LOWER("Group_Name") LIKE '%account operators%'
        OR LOWER("Group_Name") LIKE '%backup operators%'
        OR LOWER("Group_Name") LIKE '%server operators%'
        OR LOWER("Group_Name") LIKE '%group policy creator owners%'
        OR LOWER("Group_Name") LIKE '%remote management users%'
        OR LOWER("Group_Name") LIKE '%esx admins%')
    )
  )
LAST 24 HOURS
ORDER BY ActorEventCount DESC, starttime DESC

Detects T1098 Account Manipulation using QRadar AQL against Windows Security Event Log (LOGSOURCETYPEID=12). Monitors Event IDs 4738, 4670, 4732, 4728, 4756, 4735, and 4648 for suspicious account property changes, permission modifications, and sensitive group membership additions. Excludes system-level built-in accounts that generate high-volume benign events. Partitions results by actor and host to surface high-frequency actors.

high severity high confidence

Data Sources

Windows Security Event Log (LOGSOURCETYPEID=12) Active Directory Domain Controllers Windows member servers with audit policy enabled

Required Tables

events

False Positives

Enterprise identity governance platforms (e.g., Saviynt, CyberArk, Varonis) performing automated access certification reviews that add/remove sensitive group memberships in bulk
Domain administrator accounts performing legitimate bulk user provisioning during company mergers, acquisitions, or large-scale onboarding events — results in a spike of 4738 and 4732 events from a single actor
Password synchronization tools or SSO federation agents generating 4648 explicit credential logon events during token refresh cycles, which can appear as repeated credential use across many accounts

Sumo Logic CSE

sql

_sourceCategory=Windows/Security ("EventCode=4738" OR "EventCode=4670" OR "EventCode=4732" OR "EventCode=4728" OR "EventCode=4756" OR "EventCode=4735" OR "EventCode=4648")
| parse "EventCode=*" as EventCode
| parse "SubjectUserName=*" as ActorAccount nodrop
| parse "TargetUserName=*" as TargetAccount nodrop
| parse "TargetDomainName=*" as TargetDomain nodrop
| parse "MemberName=%CN=*," as MemberCN nodrop
| parse "Computer=*" as SourceHost nodrop
| where !(ActorAccount matches "-" or ActorAccount matches "SYSTEM" or ActorAccount matches "LOCAL SERVICE" or ActorAccount matches "NETWORK SERVICE")
| eval ChangeType = if(EventCode == "4738", "UserAccountModified",
    if(EventCode == "4670", "PermissionsChanged",
    if(EventCode == "4732", "AddedToLocalGroup",
    if(EventCode == "4728", "AddedToGlobalGroup",
    if(EventCode == "4756", "AddedToUniversalGroup",
    if(EventCode == "4735", "LocalGroupModified",
    if(EventCode == "4648", "ExplicitCredentialLogon", "Unknown")))))))
| eval IsSensitiveGroup = if(
    matches(toLowerCase(TargetAccount), ".*domain admins.*") or
    matches(toLowerCase(TargetAccount), ".*enterprise admins.*") or
    matches(toLowerCase(TargetAccount), ".*schema admins.*") or
    matches(toLowerCase(TargetAccount), ".*administrators.*") or
    matches(toLowerCase(TargetAccount), ".*account operators.*") or
    matches(toLowerCase(TargetAccount), ".*backup operators.*") or
    matches(toLowerCase(TargetAccount), ".*server operators.*") or
    matches(toLowerCase(TargetAccount), ".*group policy creator owners.*") or
    matches(toLowerCase(TargetAccount), ".*remote management users.*") or
    matches(toLowerCase(TargetAccount), ".*esx admins.*"), 1, 0)
| eval IsHighRisk = if(IsSensitiveGroup == 1 OR EventCode == "4670", 1, 0)
| stats count as TotalEvents,
        sum(IsHighRisk) as HighRiskCount,
        values(ChangeType) as ChangeTypes,
        values(TargetAccount) as AffectedAccounts,
        min(_messageTime) as FirstSeen,
        max(_messageTime) as LastSeen
        by ActorAccount, SourceHost
| eval RiskScore = if(HighRiskCount >= 3, "Critical",
    if(HighRiskCount >= 1, "High",
    if(TotalEvents >= 10, "Medium", "Low")))
| where TotalEvents >= 1
| sort by HighRiskCount, TotalEvents

Detects T1098 Account Manipulation in Sumo Logic by parsing Windows Security Event Log messages for Event IDs 4738, 4670, 4732, 4728, 4756, 4735, and 4648. Uses field parsing from raw Windows event log messages to extract actor, target, and group context. Computes a risk score based on sensitive group involvement and permission changes, aggregating by actor account and source host to surface the most suspicious actors.

high severity high confidence

Data Sources

Windows Security Event Log via Sumo Logic Installed Collector Active Directory Domain Controllers Windows servers with advanced audit policy configured

Required Tables

_sourceCategory=Windows/Security Windows event log messages forwarded via Sumo Logic collector

False Positives

Privileged Access Workstation (PAW) administrators performing legitimate just-in-time (JIT) access assignments that temporarily add accounts to sensitive groups like Domain Admins, which generates 4728/4732/4756 events followed by rapid removal events
IT operations teams running automated compliance scripts that audit and correct group memberships — these produce clusters of account modification events from a single service account across many targets in a short window
SCCM/MECM or Intune enrollment processes that modify local Administrators group membership on endpoints, generating high volumes of 4732 events from domain controller service accounts

Google Chronicle / SecOps

yaral

rule T1098_Account_Manipulation {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1098 Account Manipulation via Windows Security Events monitoring account property changes, permission modifications, and sensitive group membership additions."
    mitre_attack_tactic = "Persistence, Privilege Escalation"
    mitre_attack_technique = "T1098"
    severity = "HIGH"
    priority = "HIGH"
    version = "1.0"

  events:
    $e.metadata.log_type = "WINEVTLOG"
    $e.metadata.vendor_name = "Microsoft"
    $e.metadata.product_name = "Windows"
    $e.metadata.product_event_type in [
      "4738", "4670", "4732", "4728", "4756", "4735", "4648"
    ]
    not $e.principal.user.userid in [
      "-", "SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE", "ANONYMOUS LOGON"
    ]
    not re.regex($e.principal.user.userid, `\$$`)
    (
      $e.metadata.product_event_type in ["4738", "4670", "4648"]
      or
      (
        $e.metadata.product_event_type in ["4732", "4728", "4756", "4735"]
        and
        re.regex($e.target.group.group_display_name,
          `(?i)(domain admins|enterprise admins|schema admins|^administrators$|account operators|backup operators|print operators|server operators|group policy creator owners|remote management users|esx admins)`
        )
      )
    )
    $actor = $e.principal.user.userid
    $host = $e.principal.hostname

  match:
    $actor, $host over 1h

  outcome:
    $event_count = count_distinct($e.metadata.id)
    $event_types = array_distinct($e.metadata.product_event_type)
    $affected_accounts = array_distinct($e.target.user.userid)
    $sensitive_group_hits = count_distinct($e.target.group.group_display_name)
    $risk_score = if($sensitive_group_hits >= 3, "Critical",
                   if($sensitive_group_hits >= 1, "High",
                   if($event_count >= 10, "Medium", "Low")))

  condition:
    $e
}

Google Chronicle YARA-L 2.0 rule detecting T1098 Account Manipulation. Matches Windows Security Event IDs 4738, 4670, 4732, 4728, 4756, 4735, and 4648 using UDM fields principal.user.userid, principal.hostname, target.group.group_display_name, and metadata.product_event_type. Aggregates over a 1-hour window per actor/host pair, excludes machine accounts (trailing $) and built-in system accounts, and focuses group-membership events on sensitive AD groups. Computes a risk score based on sensitive group involvement frequency.

high severity high confidence

Data Sources

Windows Security Event Log via Chronicle forwarder or Google Cloud Pub/Sub Active Directory Domain Controller event logs UDM normalized Windows event data

Required Tables

WINEVTLOG UDM events Chronicle UDM entity graph (principal, target)

False Positives

Identity lifecycle management platforms (e.g., Microsoft Identity Manager, Okta AD agent) performing synchronized provisioning operations that touch sensitive group memberships as part of role-based access control workflows across many users simultaneously
Tiered administration models where Tier 0 admin accounts legitimately perform bulk account modifications on Domain Controllers — these will match on every policy enforcement run without indicating malicious activity
Vulnerability scanners or EDR agents running under privileged service accounts that enumerate group memberships, causing 4648 explicit credential logon events that correlate with account modification events from the same host

CrowdStrike LogScale (CQL)

cql

// T1098 Account Manipulation — Windows Security Events via CrowdStrike Falcon LogScale
// Requires Windows Security Event Log forwarding to LogScale

#event_simpleName = "UserAccountModified"
OR (#event_simpleName = "UserAccountCreated" AND TargetUserName != "")
OR (
  event.code in [4738, 4670, 4732, 4728, 4756, 4735, 4648]
  AND channel = "Security"
)
| SubjectUserName != ["-", "SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE", "ANONYMOUS LOGON"]
| !regex(SubjectUserName, regex=`\$$`)
| changeType := case {
    event.code == 4738 => "UserAccountModified";
    event.code == 4670 => "PermissionsChanged";
    event.code == 4732 => "AddedToLocalGroup";
    event.code == 4728 => "AddedToGlobalGroup";
    event.code == 4756 => "AddedToUniversalGroup";
    event.code == 4735 => "LocalGroupModified";
    event.code == 4648 => "ExplicitCredentialLogon";
    #event_simpleName == "UserAccountModified" => "FalconUserAccountModified";
    * => "Unknown"
  }
| isSensitiveGroup := if(
    regex(TargetUserName, regex=`(?i)(domain admins|enterprise admins|schema admins|^administrators$|account operators|backup operators|server operators|group policy creator owners|remote management users|esx admins)`),
    1, 0
  )
| isHighRisk := if(isSensitiveGroup == 1 OR event.code == 4670, 1, 0)
| groupBy(
    [SubjectUserName, ComputerName],
    function=[
      count(as=TotalEvents),
      sum(isHighRisk, as=HighRiskCount),
      collect([changeType], as=ChangeTypes, limit=20),
      collect([TargetUserName], as=AffectedAccounts, limit=20),
      min(@timestamp, as=FirstSeen),
      max(@timestamp, as=LastSeen)
    ]
  )
| RiskScore := case {
    HighRiskCount >= 3 => "Critical";
    HighRiskCount >= 1 => "High";
    TotalEvents >= 10 => "Medium";
    * => "Low"
  }
| sort(HighRiskCount, TotalEvents, order=desc)

Detects T1098 Account Manipulation in CrowdStrike LogScale (Humio) using both native Falcon telemetry (UserAccountModified event_simpleName) and Windows Security Event Log forwarding (event.code 4738, 4670, 4732, 4728, 4756, 4735, 4648). Excludes system accounts and machine accounts (trailing $). Groups by actor and hostname, computing HighRiskCount based on sensitive group involvement and permission changes. Produces a tiered risk score — Critical for 3+ high-risk events, High for any sensitive group hit, Medium for 10+ total events.

high severity high confidence

Data Sources

CrowdStrike Falcon platform native telemetry (UserAccountModified, UserAccountCreated) Windows Security Event Log forwarded to LogScale via Falcon Log Collector or Winlogbeat Active Directory Domain Controller Falcon sensor telemetry

Required Tables

Falcon #event_simpleName = UserAccountModified Falcon #event_simpleName = UserAccountCreated Windows Security channel events (event.code 4738/4670/4732/4728/4756/4735/4648)

False Positives

CrowdStrike Falcon Spotlight or Identity Protection module performing automated account risk assessments, which can generate UserAccountModified telemetry for accounts flagged during posture evaluation scans across the fleet
Enterprise PAM solutions (e.g., BeyondTrust, CyberArk) checking out privileged credentials and performing just-in-time group membership elevation — these generate clusters of sensitive group addition events from a service account that self-resolve after the checkout window expires
Microsoft Entra ID (Azure AD) Connect sync agents reconciling on-premises AD group memberships with cloud identities, producing repeated 4728/4756 events from the MSOL sync service account whenever a cloud-side role assignment changes are written back to on-prem AD

Sigma rule & cross-platform mapping

The detection logic for Account Manipulation (T1098) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1098 Sigma rules on detection.fyi

Platform-specific guides for T1098

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-13 Research depth: deep

References (9)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Add User to Local Administrators Group
Expected signal: Security Event ID 4732: A member was added to a security-enabled local group. SubjectUserName = actor, TargetUserName = Administrators (group), MemberName = df00tech-testuser. Sysmon Event ID 1 if executed via cmd.exe: Process Create with Image=net.exe, CommandLine='net localgroup Administrators df00tech-testuser /add'.
Test 2Modify User Account Password — Simulate Credential Manipulation
Expected signal: Security Event ID 4738: A user account was changed. SubjectUserName = executing account, TargetUserName = df00tech-testuser. The 'Changed Attributes' section will show 'Password Last Set' updated. Sysmon Event ID 1: Process Create with net.exe command line visible.
Test 3Disable Password Expiry on Account (UserAccountControl Manipulation)
Expected signal: Security Event ID 4738: A user account was changed. The event detail will show UserAccountControl change with the new value including the DONT_EXPIRE_PASSWORD flag (0x10000 bit set). SubjectUserName identifies the actor performing the change.
Test 4Rename Administrator Account (Lazarus Group TTPs)
Expected signal: Security Event ID 4738: A user account was changed. TargetUserName will show the new account name, and 'SAM Account Name' in the changed attributes will reflect the rename. Sysmon Event ID 1: Process Create with wmic.exe and the rename command visible in CommandLine.
Test 5Grant Remote Desktop Access via Group Membership
Expected signal: Security Event ID 4732: A member was added to a security-enabled local group. TargetUserName = Remote Desktop Users, MemberName = df00tech-testuser, SubjectUserName = executing account. Sysmon Event ID 1: Process Create for powershell.exe with Add-LocalGroupMember in CommandLine.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1098 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hubs

TA0003Persistence TA0004Privilege Escalation

Sub-techniques (7)

Related Techniques

T1078Valid Accounts T1078.002Domain Accounts T1003OS Credential Dumping T1003.001LSASS Memory T1550.002Pass the Hash T1558Steal or Forge Kerberos Tickets T1136Create Account T1098.001Additional Cloud Credentials T1098.003Additional Cloud Roles T1098.007Additional Local or Domain Groups T1484Domain or Tenant Policy Modification T1069Permission Groups Discovery

Account Manipulation

What is T1098 Account Manipulation?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1098

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hubs

Sub-techniques (7)

Related Techniques

Same Tactic: Persistence

Popular Detections

What is T1098 Account Manipulation?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1098

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Sub-techniques (7)

Related Techniques

Same Tactic: Persistence

Popular Detections

Get new detections in your inbox