MITRE ATT&CK Technique
Persistence
T1098
Description
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078).
Supported Platforms
Containers
ESXi
IaaS
Identity Provider
Linux
macOS
Network Devices
Office Suite
SaaS
Windows
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:31:12.196Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may manipulate accounts to maintain and/or '
'elevate access to victim systems. Account manipulation may '
'consist of any action that preserves or modifies adversary '
'access to a compromised account, such as modifying '
'credentials or permission groups.(Citation: FireEye SMOKEDHAM '
'June 2021) These actions could also include account activity '
'designed to subvert security policies, such as performing '
'iterative password updates to bypass password duration '
'policies and preserve the life of compromised credentials. \n'
'\n'
'In order to create or manipulate accounts, the adversary must '
'already have sufficient permissions on systems or the domain. '
'However, account manipulation may also lead to privilege '
'escalation where modifications grant access to additional '
'roles, permissions, or higher-privileged [Valid '
'Accounts](https://attack.mitre.org/techniques/T1078).',
'external_references': [{'external_id': 'T1098',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1098'},
{'description': 'FireEye. (2021, June 16). Smoking '
'Out a DARKSIDE Affiliate’s Supply '
'Chain Software Compromise. Retrieved '
'September 22, 2021.',
'source_name': 'FireEye SMOKEDHAM June 2021',
'url': 'https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html'},
{'description': 'Franklin Smith, R. (n.d.). Windows '
'Security Log Event ID 4670. '
'Retrieved November 4, 2019.',
'source_name': 'Microsoft Security Event 4670',
'url': 'https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4670'},
{'description': 'Lich, B., Miroshnikov, A. (2017, '
'April 5). 4738(S): A user account '
'was changed. Retrieved June 30, '
'2017.',
'source_name': 'Microsoft User Modified Event',
'url': 'https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738'},
{'description': 'Warren, J. (2017, July 11). '
'Manipulating User Passwords with '
'Mimikatz. Retrieved December 4, '
'2017.',
'source_name': 'InsiderThreat ChangeNTLM July 2017',
'url': 'https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM'},
{'description': 'Warren, J. (2017, June 22). '
'lsadump::changentlm and '
'lsadump::setntlm work, but generate '
'Windows events #92. Retrieved '
'December 4, 2017.',
'source_name': 'GitHub Mimikatz Issue 92 June 2017',
'url': 'https://github.com/gentilkiwi/mimikatz/issues/92'}],
'id': 'attack-pattern--a10641f4-87b4-45a3-a906-92a149cb2c27',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'}],
'modified': '2025-10-24T17:49:10.273Z',
'name': 'Account Manipulation',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Jannie Li, Microsoft Threat Intelligence\u202f'
'Center\u202f(MSTIC)',
'Praetorian',
'Tim MalcomVetter',
'Wojciech Lesicki',
'Arad Inbar, Fidelis Security'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Containers',
'ESXi',
'IaaS',
'Identity Provider',
'Linux',
'macOS',
'Network Devices',
'Office Suite',
'SaaS',
'Windows'],
'x_mitre_version': '2.8'}