Account Manipulation (T1098)

View on ATT&CK

In Playbook

Associated Tactics

  • Persistence
  • Privilege Escalation

Persistence (TA0003)

The adversary is trying to maintain their foothold. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.

View on ATT&CK

Procedure Examples

Description Source(s)
FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021. FireEye SMOKEDHAM June 2021
Franklin Smith, R. (n.d.). Windows Security Log Event ID 4670. Retrieved November 4, 2019. Microsoft Security Event 4670
Lich, B., Miroshnikov, A. (2017, April 5). 4738(S): A user account was changed. Retrieved June 30, 2017. Microsoft User Modified Event
Warren, J. (2017, July 11). Manipulating User Passwords with Mimikatz. Retrieved December 4, 2017. InsiderThreat ChangeNTLM July 2017
Warren, J. (2017, June 22). lsadump::changentlm and lsadump::setntlm work, but generate Windows events #92. Retrieved December 4, 2017. GitHub Mimikatz Issue 92 June 2017