title: Account Manipulation (T1098)
id: df00tech-t1098
status: experimental
description: "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. Account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged Valid Accounts."
references:
  - https://attack.mitre.org/techniques/T1098/
  - https://df00tech.com/detections/T1098
author: df00tech
date: 2026/04/13
tags:
  - attack.t1098
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administrators performing legitimate account provisioning or group membership changes during onboarding or role transitions
  - "Automated identity management systems (SailPoint, Saviynt, AD Connect) performing scheduled sync operations that generate bulk account modification events"
  - Help desk staff performing password resets or account unlock operations which generate 4738 events
  - Group Policy or SCCM deployments that modify local group membership across endpoints as part of standard configuration management
  - Scheduled account maintenance scripts that iterate through stale accounts and modify their properties
level: high