T1098 Microsoft Sentinel · KQL

Detect Account Manipulation in Microsoft Sentinel

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. Account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged Valid Accounts.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1098 Account Manipulation
Canonical reference
https://attack.mitre.org/techniques/T1098/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1098 — Account Manipulation: Detects suspicious account property changes, privilege assignments, and group membership modifications
let SensitiveGroups = dynamic(["Domain Admins", "Enterprise Admins", "Schema Admins", "Administrators", "Account Operators", "Backup Operators", "Print Operators", "Server Operators", "Group Policy Creator Owners", "Remote Management Users", "ESX Admins"]);
let LookbackWindow = 1d;
union
(
    // 4738 - User account changed (password reset, UserAccountControl changes, etc.)
    SecurityEvent
    | where TimeGenerated > ago(LookbackWindow)
    | where EventID == 4738
    | extend TargetAccount = TargetUserName, ChangedBy = SubjectUserName
    | extend AccountDomain = TargetDomainName
    | extend ChangeType = "UserAccountModified"
    | project TimeGenerated, EventID, TargetAccount, ChangedBy, AccountDomain, ChangeType, Computer, _SubscriptionId
),
(
    // 4670 - Account permissions changed
    SecurityEvent
    | where TimeGenerated > ago(LookbackWindow)
    | where EventID == 4670
    | extend TargetAccount = TargetUserName, ChangedBy = SubjectUserName
    | extend AccountDomain = TargetDomainName
    | extend ChangeType = "PermissionsChanged"
    | project TimeGenerated, EventID, TargetAccount, ChangedBy, AccountDomain, ChangeType, Computer, _SubscriptionId
),
(
    // 4732 - Member added to security-enabled local group
    SecurityEvent
    | where TimeGenerated > ago(LookbackWindow)
    | where EventID == 4732
    | extend TargetAccount = MemberName, ChangedBy = SubjectUserName
    | extend GroupName = TargetUserName
    | extend AccountDomain = TargetDomainName
    | extend ChangeType = strcat("AddedToGroup:", GroupName)
    | where GroupName in~ (SensitiveGroups)
    | project TimeGenerated, EventID, TargetAccount, ChangedBy, AccountDomain, ChangeType, Computer, _SubscriptionId
),
(
    // 4728 - Member added to security-enabled global group
    SecurityEvent
    | where TimeGenerated > ago(LookbackWindow)
    | where EventID == 4728
    | extend TargetAccount = MemberName, ChangedBy = SubjectUserName
    | extend GroupName = TargetUserName
    | extend AccountDomain = TargetDomainName
    | extend ChangeType = strcat("AddedToGlobalGroup:", GroupName)
    | where GroupName in~ (SensitiveGroups)
    | project TimeGenerated, EventID, TargetAccount, ChangedBy, AccountDomain, ChangeType, Computer, _SubscriptionId
),
(
    // 4756 - Member added to security-enabled universal group
    SecurityEvent
    | where TimeGenerated > ago(LookbackWindow)
    | where EventID == 4756
    | extend TargetAccount = MemberName, ChangedBy = SubjectUserName
    | extend GroupName = TargetUserName
    | extend AccountDomain = TargetDomainName
    | extend ChangeType = strcat("AddedToUniversalGroup:", GroupName)
    | where GroupName in~ (SensitiveGroups)
    | project TimeGenerated, EventID, TargetAccount, ChangedBy, AccountDomain, ChangeType, Computer, _SubscriptionId
),
(
    // 4648 - Logon using explicit credentials after account change (potential Skeleton Key)
    SecurityEvent
    | where TimeGenerated > ago(LookbackWindow)
    | where EventID == 4648
    | extend TargetAccount = TargetUserName, ChangedBy = SubjectUserName
    | extend AccountDomain = TargetDomainName
    | extend ChangeType = "ExplicitCredentialLogon"
    | where SubjectUserName != TargetUserName
    | project TimeGenerated, EventID, TargetAccount, ChangedBy, AccountDomain, ChangeType, Computer, _SubscriptionId
)
| summarize EventCount=count(), EventTypes=make_set(ChangeType), AffectedAccounts=make_set(TargetAccount), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by ChangedBy, Computer
| where EventCount >= 1
| extend RiskScore = case(
    EventCount >= 10, "High",
    EventCount >= 3, "Medium",
    "Low"
  )
| sort by EventCount desc
high severity high confidence

Detects account manipulation activity across Windows domain environments using Security event log data. Monitors for user account property changes (EventID 4738), permission modifications (EventID 4670), and membership additions to sensitive groups including Domain Admins, Enterprise Admins, Administrators, and ESX Admins (EventIDs 4732, 4728, 4756). Also captures explicit credential logon events (EventID 4648) that may indicate Skeleton Key or pass-the-hash activity following account compromise. Results are aggregated by actor and computer with a risk score based on activity volume.

Data Sources

User Account: User Account ModificationActive Directory: Active Directory Object ModificationWindows Security Event Log

Required Tables

SecurityEvent

False Positives & Tuning

  • IT administrators performing legitimate account provisioning or group membership changes during onboarding or role transitions
  • Automated identity management systems (SailPoint, Saviynt, AD Connect) performing scheduled sync operations that generate bulk account modification events
  • Help desk staff performing password resets or account unlock operations which generate 4738 events
  • Group Policy or SCCM deployments that modify local group membership across endpoints as part of standard configuration management
  • Scheduled account maintenance scripts that iterate through stale accounts and modify their properties
Download portable Sigma rule (.yml)

Other platforms for T1098

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Add User to Local Administrators Group

    Expected signal: Security Event ID 4732: A member was added to a security-enabled local group. SubjectUserName = actor, TargetUserName = Administrators (group), MemberName = df00tech-testuser. Sysmon Event ID 1 if executed via cmd.exe: Process Create with Image=net.exe, CommandLine='net localgroup Administrators df00tech-testuser /add'.

  2. Test 2Modify User Account Password — Simulate Credential Manipulation

    Expected signal: Security Event ID 4738: A user account was changed. SubjectUserName = executing account, TargetUserName = df00tech-testuser. The 'Changed Attributes' section will show 'Password Last Set' updated. Sysmon Event ID 1: Process Create with net.exe command line visible.

  3. Test 3Disable Password Expiry on Account (UserAccountControl Manipulation)

    Expected signal: Security Event ID 4738: A user account was changed. The event detail will show UserAccountControl change with the new value including the DONT_EXPIRE_PASSWORD flag (0x10000 bit set). SubjectUserName identifies the actor performing the change.

  4. Test 4Rename Administrator Account (Lazarus Group TTPs)

    Expected signal: Security Event ID 4738: A user account was changed. TargetUserName will show the new account name, and 'SAM Account Name' in the changed attributes will reflect the rename. Sysmon Event ID 1: Process Create with wmic.exe and the rename command visible in CommandLine.

  5. Test 5Grant Remote Desktop Access via Group Membership

    Expected signal: Security Event ID 4732: A member was added to a security-enabled local group. TargetUserName = Remote Desktop Users, MemberName = df00tech-testuser, SubjectUserName = executing account. Sysmon Event ID 1: Process Create for powershell.exe with Add-LocalGroupMember in CommandLine.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1098 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (7)

Related Techniques

T1078Valid AccountsT1078.002Domain AccountsT1003OS Credential DumpingT1003.001LSASS MemoryT1550.002Pass the HashT1558Steal or Forge Kerberos TicketsT1136Create AccountT1098.001Additional Cloud CredentialsT1098.003Additional Cloud RolesT1098.007Additional Local or Domain GroupsT1484Domain or Tenant Policy ModificationT1069Permission Groups Discovery

Same Tactic: Persistence

Popular Detections