Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Persistence/ T1098

T1098Account Manipulation

T1098 — Account Manipulation is a MITRE ATT&CK technique in the Persistence tactic. Clankerusecase tracks 79 detection use cases covering it and 11 threat-intel articles citing it.

PersistencePrivilege Escalation
View on the matrix → Filter Detection Library MITRE official spec ↗
79Use cases
11Articles
7Sub-techniques
2Tactics

Sub-techniques (7)

T1098.001 · Additional Cloud CredentialsT1098.003 · Additional Cloud RolesT1098.006 · Additional Container Cluster RolesT1098.002 · Additional Email Delegate PermissionsT1098.007 · Additional Local or Domain GroupsT1098.005 · Device RegistrationT1098.004 · SSH Authorized Keys

Use cases covering this technique (79)

Atlassian user added to administrative group Internal install · alerting DD Atlassian administrator impersonating user Internal actions · alerting DD AWS access key created (programmatic credential) Internal actions · alerting DDCW AWS CloudTrail logging configuration modified Internal install · alerting DDCW AWS EC2 security group rules modified Internal install · alerting DDCW AWS IAM AdministratorAccess policy applied to a user Internal install · alerting DDCW AWS Lambda function code or configuration modified Internal install · alerting DDCW AWS S3 bucket policy modified Internal install · alerting DDCW Azure AD member assigned Global Administrator role Internal install · alerting DD Azure AD MFA disabled for a user Internal install · alerting DD Azure new owner added to service principal Internal install · alerting DD Azure SQL Server firewall rule created Internal install · alerting DD Azure user added to administrative group Internal install · alerting DD AWS EC2 key-pair created Internal install · alerting DD AWS Network ACL modified Internal install · alerting DD GCP project external principal added as owner Internal install · alerting DD GCP Compute Engine firewall rule modified Internal install · alerting DD GCP custom IAM role created Internal install · alerting DD GCP Cloud Storage bucket permissions modified Internal install · alerting DD GitHub organization removed from enterprise Internal install · alerting DD GitHub repository transfer initiated Internal actions · alerting DD GitLab administrator role granted Internal install · alerting DD Google Workspace service account modifying group membership Internal install · alerting DD Kubernetes ClusterRole / binding deleted Internal install · alerting DD Kubernetes RBAC role binding created Internal install · alerting DD Kubernetes admission webhook configuration modified Internal install · alerting DD M365 admin role assigned to user Internal install · alerting DD MongoDB user role escalated Internal install · alerting DD Okta administrative role assigned to user Internal install · alerting DD Okta application access granted to user Internal install · alerting DD PostgreSQL superuser role created Internal install · alerting DD Snowflake role created Internal install · alerting DD Snowflake user added to role Internal install · alerting DD [WEEKLY] Install-Triggered Registry Publish or Git Push (Supply-Chain Worm Self-Propagation) Internal actions · alerting DSPDDCSCW [WEEKLY] Sub-admin grants Owner/Administrator role then grantee signs in from a different source within 60 minutes Internal exploit · alerting DSPDDCW Cisco ASA - User Privilege Level Change ESCU actions · hunting P ESXi Account Modified ESCU actions · hunting P ESXi User Granted Admin Role ESCU actions · alerting P ASL AWS IAM Delete Policy ESCU actions · hunting P ASL AWS IAM Failure Group Deletion ESCU actions · hunting P ASL AWS IAM Successful Group Deletion ESCU actions · hunting P AWS IAM Delete Policy ESCU actions · hunting P AWS IAM Failure Group Deletion ESCU actions · hunting P AWS IAM Successful Group Deletion ESCU actions · hunting P Azure AD Service Principal Owner Added ESCU actions · alerting P Azure AD User Enabled And Password Reset ESCU actions · alerting P Azure AD User ImmutableId Attribute Updated ESCU actions · alerting P O365 Application Registration Owner Added ESCU actions · alerting P Windows AD add Self to Group ESCU actions · alerting P Windows AD DSRM Account Changes ESCU actions · alerting P Windows AD DSRM Password Reset ESCU actions · alerting P Windows AD Privileged Group Modification ESCU actions · alerting P Windows AD Self DACL Assignment ESCU actions · alerting P Windows AD ServicePrincipalName Added To Domain Account ESCU actions · alerting P Windows AD Short Lived Domain Account ServicePrincipalName ESCU actions · alerting P Windows Azure PowerShell Module Installation Via PowerShell Script ESCU actions · hunting P Windows DnsAdmins New Member Added ESCU actions · alerting P Windows Entra User Management Via Azure CLI ESCU actions · hunting P Windows Increase in Group or Object Modification Activity ESCU actions · alerting P Windows Increase in User Modification Activity ESCU actions · alerting P Windows Multiple Account Passwords Changed ESCU actions · alerting P Windows Multiple Accounts Deleted ESCU actions · alerting P Windows Multiple Accounts Disabled ESCU actions · alerting P Cisco Configuration Archive Logging Analysis ESCU actions · hunting P [LLM] Budibase CVE-2026-48150: POST /api/public/v1/roles/assign with global builder/admin grant in body Bespoke exploit · alerting SΣPDD [LLM] Budibase audit log: builder.global / admin.global granted to user by non-global caller Bespoke actions · alerting SPDD [LLM] Budibase: rapid bulk POSTs to /api/public/v1/roles/assign from single source Bespoke actions · alerting SPDD [LLM] phpBB OAuth account-binding CSRF — anomalous traffic to pre-3.3.17 OAuth callback path Bespoke exploit · hunting SΣP [LLM] nebula-mesh CVE-2026-47724 — cross-tenant firewall mutation via PUT /api/v1/networks/{id}/firewall Bespoke actions · hunting SΣPDD [LLM] nebula-mesh CVE-2026-47724 — operator sabotage (disable/enable/key revocation) by non-admin actor Bespoke actions · alerting SΣPDD [LLM] Passwordless sudo rule dropped into /etc/sudoers.d (Miasma privilege escalation) Bespoke exploit · alerting DSΣPDDCS [LLM] GitHub bulk git tag force-push by single actor across multiple org repos Bespoke delivery · hunting PDD [LLM] praisonai-platform: identity-swap chain — owner grant followed by login from the granted account Bespoke actions · hunting DSPDD [LLM] praisonai-platform CVE-2026-47416: PATCH /workspaces/{id}/members/{user_id} role-change request Bespoke exploit · hunting SΣPDD [LLM] praisonai-platform CVE-2026-47416: Member self-promotion + legitimate-owner demotion chain within one hour Bespoke install · hunting SPDD [LLM] PraisonAI Platform member role mutation endpoint hit (CVE-2026-47407 privilege escalation) Bespoke actions · alerting SΣPDDCW [LLM] Strapi CVE-2026-27886 admin takeover — exploit burst followed by `/admin/reset-password` POST Bespoke actions · alerting SPDD [LLM] AD CS attacker tooling execution: Certify, Certipy, Whisker process indicators Bespoke install · alerting DSΣPDDCS [LLM] Shai-Hulud style repository poisoning — .claude/router_runtime.js drop Bespoke actions · alerting DSΣPDD

Articles citing this technique (11)

crit [GHSA / CRITICAL] CVE-2026-48150: Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign art-20
high 10 year old critical vulnerability in phpBB affecting tens of millions of users across thousands of forums art-69
crit [GHSA / CRITICAL] CVE-2026-47724: nebula-mesh: API endpoints lack ownership checks, enabling cross-operator privilege escalation art-96
crit Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign art-139
high Laravel-Lang Supply Chain Attack: Every Tag Across Multiple Composer Packages Rewritten to Steal CI Secrets art-145
crit [GHSA / CRITICAL] CVE-2026-47413: praisonai-platform: Any workspace member can add arbitrary user as owner via POST /workspaces/{id}/members art-155
crit [GHSA / CRITICAL] CVE-2026-47416: praisonai-platform: Any workspace member can promote themselves or others to owner via PATCH /workspaces/{ art-162
crit [GHSA / CRITICAL] CVE-2026-47407: PraisonAI Platform has a cross-workspace IDOR + member-role privilege escalation art-164
crit [GHSA / CRITICAL] CVE-2026-27886: Strapi may leak sensitive data via relational filtering due to lack of query sanitization art-305
crit Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools art-316
crit lightning PyPI Compromise: A Bun-Based Credential Stealer in Python art-343