Account Manipulation

Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.

Angreifer können Konten manipulieren, um den Zugang zu Opfersystemen aufrechtzuerhalten. Die Manipulation von Konten kann aus jeder Aktion bestehen, die den Zugriff des Angreifers auf ein kompromittiertes Konto aufrechterhält, z. B. die Änderung von Anmeldedaten oder Berechtigungsgruppen. Diese Aktionen können auch Kontoaktivitäten umfassen, die darauf abzielen, Sicherheitsrichtlinien zu unterlaufen, wie z. B. die wiederholte Aktualisierung von Kennwörtern, um Richtlinien zur Kennwortdauer zu umgehen und die Lebensdauer kompromittierter Anmeldedaten zu erhalten. Um Konten zu erstellen oder zu manipulieren, muss der Angreifer bereits über ausreichende Berechtigungen für Systeme oder die Domäne verfügen.

Les adversaires peuvent manipuler les comptes pour conserver l'accès aux systèmes des victimes. La manipulation de comptes peut consister en toute action qui préserve l'accès de l'adversaire à un compte compromis, comme la modification des informations d'identification ou des groupes de permission. Ces actions peuvent également inclure des activités de compte conçues pour contourner les politiques de sécurité, comme l'exécution de mises à jour itératives de mots de passe pour contourner les politiques de durée des mots de passe et préserver la durée de vie des informations d'identification compromises. Pour créer ou manipuler des comptes, l'adversaire doit déjà disposer de permissions suffisantes sur les systèmes ou le domaine.

Gli avversari possono manipolare gli account per mantenere l'accesso ai sistemi delle vittime. La manipolazione degli account può consistere in qualsiasi azione che preservi l'accesso dell'avversario ad un account compromesso, come la modifica di credenziali o gruppi di permessi. Queste azioni potrebbero anche includere attività di account progettate per sovvertire le politiche di sicurezza, come l'esecuzione di aggiornamenti iterativi delle password per aggirare le politiche di durata delle password e preservare la vita delle credenziali compromesse. Per creare o manipolare account, l'avversario deve avere già sufficienti permessi sui sistemi o sul dominio.

Login
ID: T1098
Sub-techniques:  T1098.001, T1098.002, T1098.003, T1098.004
Tactic: Persistence
Platforms: Azure AD, Google Workspace, IaaS, Linux, Office 365, Windows, macOS
Contributors: Jannie Li, Microsoft Threat Intelligence Center (MSTIC); Praetorian; Tim MalcomVetter
Version: 2.2
Created: 31 May 2017
Last Modified: 18 October 2021
Translations:  DE FR IT EN
Provided by LAYER 8

Procedure Examples

ID Name Description
G0022 APT3

APT3 has been known to add created accounts to local admin groups to maintain elevated access.[1]

S0274 Calisto

Calisto adds permissions and remote logins to all users.[2]

G0074 Dragonfly 2.0

Dragonfly 2.0 added newly created accounts to the administrators group to maintain elevated access.[3][4]

G0032 Lazarus Group

Lazarus Group malware WhiskeyDelta-Two contains a function that attempts to rename the administrator’s account.[5][6]

S0002 Mimikatz

The Mimikatz credential dumper has been extended to include Skeleton Key domain controller authentication bypass functionality. The LSADUMP::ChangeNTLM and LSADUMP::SetNTLM modules can also manipulate the password hash of an account without knowing the clear text value.[7][8]

G0034 Sandworm Team

Sandworm Team used the sp_addlinkedsrvlogin command in MS-SQL to create a link between a created account and other servers in the network.[9]

S0649 SMOKEDHAM

SMOKEDHAM has added created user accounts to local Admin groups.[10]

Mitigations

ID Mitigation Description
M1032 Multi-factor Authentication

Use multi-factor authentication for user and privileged accounts.

M1030 Network Segmentation

Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems.

M1028 Operating System Configuration

Protect domain controllers by ensuring proper security configuration for critical servers to limit access by potentially unnecessary protocols and services, such as SMB file sharing.

M1026 Privileged Account Management

Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

Detection

ID Data Source Data Component
DS0026 Active Directory Active Directory Object Modification
DS0017 Command Command Execution
DS0022 File File Modification
DS0036 Group Group Modification
DS0009 Process Process Creation
DS0002 User Account User Account Modification

Collect events that correlate with changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670.[11][12][12] Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ[13] or that include additional flags such as changing a password without knowledge of the old password.[14]

Monitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.

Monitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts.

Sammeln Sie Ereignisse, die mit Änderungen an Kontoobjekten und/oder Berechtigungen auf Systemen und in der Domäne korrelieren, wie z.B. die Ereignis-IDs 4738, 4728 und 4670.(Zitat: Microsoft User Modified Event)(Zitat: Microsoft Security Event 4670)(Zitat: Microsoft Security Event 4670) Überwachen Sie die Änderung von Konten im Zusammenhang mit anderen verdächtigen Aktivitäten. Änderungen können zu ungewöhnlichen Zeiten oder von ungewöhnlichen Systemen aus erfolgen. Markieren Sie insbesondere Ereignisse, bei denen sich das Subjekt- und das Zielkonto unterscheiden(Zitat: InsiderThreat ChangeNTLM Juli 2017) oder die zusätzliche Markierungen enthalten, wie z.B. die Änderung eines Passworts ohne Kenntnis des alten Passworts.(Zitat: GitHub Mimikatz Issue 92 Juni 2017)

Achten Sie auf die Verwendung von Zugangsdaten zu ungewöhnlichen Zeiten oder für ungewöhnliche Systeme oder Dienste. Dies kann auch mit anderen verdächtigen Aktivitäten korrelieren.

Überwachen Sie auf ungewöhnliche Änderungen von Berechtigungen, die auf übermässig weitreichende Berechtigungen für kompromittierte Konten hinweisen können.

Recueillez les événements en corrélation avec les modifications d'objets de comptes et/ou de permissions sur les systèmes et le domaine, tels que les ID d'événements 4738, 4728 et 4670.(Citation : Événement Microsoft User Modified)(Citation : Événement Microsoft Security 4670)(Citation : Événement Microsoft Security 4670) Surveillez les modifications de comptes en corrélation avec d'autres activités suspectes. Les modifications peuvent survenir à des moments inhabituels ou à partir de systèmes inhabituels. Signalez particulièrement les événements où les comptes sujets et cibles diffèrent(Citation : InsiderThreat ChangeNTLM juillet 2017) ou qui comprennent des drapeaux supplémentaires tels que le changement d'un mot de passe sans connaissance de l'ancien mot de passe.(Citation : GitHub Mimikatz Issue 92 juin 2017).

Surveillez l'utilisation des informations d'identification à des moments inhabituels ou vers des systèmes ou services inhabituels. Cela peut également être corrélé avec d'autres activités suspectes.

Surveillez les changements de permissions inhabituels qui peuvent indiquer que des permissions excessivement larges sont accordées à des comptes compromis.

Raccolga gli eventi che si correlano a modifiche di oggetti e/o permessi di account sui sistemi e sul dominio, come gli ID evento 4738, 4728 e 4670.(Citazione: Microsoft User Modified Event)(Citazione: Microsoft Security Event 4670)(Citazione: Microsoft Security Event 4670) Controlli la modifica di account in correlazione con altre attività sospette. Le modifiche possono avvenire in orari insoliti o da sistemi insoliti. Segnalare in particolare gli eventi in cui gli account oggetto e quelli di destinazione differiscono (Citazione: InsiderThreat ChangeNTLM luglio 2017) o che includono flag aggiuntivi come il cambio di una password senza conoscere la vecchia password.(Citazione: GitHub Mimikatz Issue 92 giugno 2017)

Monitorare l'uso di credenziali in orari insoliti o a sistemi o servizi insoliti. Questo può anche essere correlato ad altre attività sospette.

Monitorare per cambiamenti di permessi insoliti che possono indicare la concessione di permessi eccessivamente ampi ad account compromessi.

References