DET0096 Account Manipulation Behavior Chain Detection

Item	Value
ID	DET0096
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1098 (Account Manipulation)

Analytics

Windows

AN0265

Account attribute changes (e.g., password set, group membership, servicePrincipalName, logon hours) correlated with unusual process lineage or timing, indicating privilege escalation or persistence via valid accounts.

Log Sources

Data Component	Name	Channel
User Account Modification (DC0010)	WinEventLog:Security	EventCode=4738, 4728, 4670
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1

Mutable Elements

Field	Description
TimeWindow	Time between suspicious process and account change (e.g., 5m).
HighPrivilegeGroupList	Customize group list (e.g., Domain Admins, Enterprise Admins) to monitor.
SubjectTargetMismatch	Flag if account modifier != modified user (potential hijack).

Linux

AN0266

Use of native tools or scripting (e.g., usermod, passwd, groupmod) to escalate permissions or persist access on existing users, correlated with login or process events.

Log Sources

Data Component	Name	Channel
User Account Modification (DC0010)	auditd:SYSCALL	usermod, groupmod, passwd
File Modification (DC0061)	auditd:PATH	/etc/passwd or /etc/group file write

Mutable Elements

Field	Description
SudoPath	Common sudo or privilege escalation paths (e.g., `/usr/bin/passwd`).
ModifiedShellList	Detect if user shell is changed to unusual one (e.g., /bin/sh -> /bin/bash).

macOS

AN0267

Modifications to user accounts via dscl, pwpolicy, or System Preferences CLI (sysadminctl) that alter user groups, enable root, or bypass MDM restrictions.

Log Sources

Data Component	Name	Channel
User Account Modification (DC0010)	macos:unifiedlog	com.apple.accountsd, com.apple.opendirectoryd

Mutable Elements

Field	Description
ModifiedUserList	Track known non-system user UIDs or service accounts.
GroupMembershipChanges	List of sensitive groups (admin, _developer, _analyticsd).

Identity Provider

AN0268

Modifications to SSO/SAML user attributes (e.g., isAdmin, role, MFA bypass, App assignments) often through CLI, API, or rogue IdP apps.

Log Sources

Data Component	Name	Channel
User Account Modification (DC0010)	saas:okta	User Attribute Modified / Role Assignment Changed

Mutable Elements

Field	Description
RoleAssignmentBaseline	Expected user-role pairings per app or org unit.
APIUsageContext	Caller identity or IP address ranges for identity admin actions.

ESXi

AN0269

Addition of new users or changes to role permissions (e.g., ReadOnly -> Admin) via API or vSphere Client, particularly from non-jumpbox IPs.

Log Sources

Data Component	Name	Channel
Active Directory Object Modification (DC0066)	esxi:vpxa	vim.SessionManager.login / vim.AccountManager.createUser

Mutable Elements

Field	Description
VMAdminAccountName	Expected account name patterns for ESXi/vCenter admins.
NetworkAccessLocation	Expected IPs/subnets for legitimate ESXi access.

SaaS

AN0270

Role escalation (e.g., Editor → Owner) in cloud collaboration tools (Google Workspace, O365) or file sharing apps to maintain elevated access.

Log Sources

Data Component	Name	Channel
User Account Modification (DC0010)	m365:unified	Admin Activity > Role Change or Sharing Change

Mutable Elements

Field	Description
SharingSensitivityLabel	Threshold for labeling sensitive document access escalation.
CrossOrgChanges	Track changes made across organizational boundaries (e.g., guest users).