DC0010: User Account Modification
Changes made to an existing user, service, or machine account, including alterations to attributes, permissions, roles, authentication methods, or group memberships.
Analyst context for executives and security teams
User Account Modification is a core identity evidence source: it captures changes to existing user, service, or machine accounts, including permissions, roles, authentication methods, attributes, and group memberships. For leaders, this matters because account changes often determine who can access critical systems and whether identity governance, incident response, and audit controls can prove that access was appropriate.
Executive priority
Treat this data component as a priority for identity assurance and incident readiness. Executives and risk owners should ask whether the organization can reconstruct who changed an account, what changed, when it changed, and whether the change was authorized. This evidence is important for access reviews, privileged-access governance, compliance support, and fast incident decisions involving suspected misuse of existing accounts.
Technical view
SOC, detection, and IR teams should validate that account-change events are collected for existing user, service, and machine accounts, especially changes to attributes, permissions, roles, authentication methods, and group memberships. Because ATT&CK does not provide platforms, tactics, or detection logic for this object, local identity architecture must drive coverage validation. Focus on whether account modification records include actor, target account, changed fields, previous and new values where available, timestamp, source system, and administrative context.
Likely telemetry
- Directory or identity-provider audit logs for user, service, and machine account changes
- Privilege, role, and permission assignment change records
- Group membership modification events
- Authentication method enrollment, removal, or reset events
- Account attribute change records, such as status, ownership, or policy-related fields
Detection direction
- Baseline normal administrative account-change activity and alert on unusual timing, unusual administrators, unusual target accounts, or sensitive permission and role changes.
- Prioritize detections for modifications affecting privileged accounts, service accounts, machine accounts, authentication methods, and high-impact group memberships.
- Correlate account modifications with change-management records where available to reduce false positives from approved administration.
- Validate that logs preserve enough detail to distinguish routine profile updates from security-relevant changes to permissions, roles, authentication methods, or group membership.
- Identify blind spots where account changes are made through alternate administrative paths, APIs, automation, or federated identity systems that may not feed the SOC.
Mitigation priorities
- Ensure all authoritative identity systems produce audit records for account modifications.
- Define and enforce approval workflows for sensitive account, role, permission, authentication-method, and group-membership changes.
- Limit who can modify high-value accounts and periodically review administrative privileges.
- Retain account-change logs long enough to support incident investigation, compliance evidence, and access-review cycles.
- Test incident response procedures for reconstructing account-change history during suspected identity compromise.
Analyst notes and limits
This object is a data component, not an ATT&CK technique. Its value is in determining whether defenders have the evidence needed to investigate and govern account changes. The supplied ATT&CK record provides a clear scope for the data source but no platform-specific guidance, detection analytics, tactics, or relationships, so implementation must be mapped to the organization’s actual identity and account-management systems.
No official detection text, platforms, tactics, or relationship context were supplied. This take does not assert adversary use, active exploitation, or guaranteed detection coverage. Local logging, identity architecture, retention, and change-management processes are required to determine actual defensive value.
User Account Modification
Changes made to an existing user, service, or machine account, including alterations to attributes, permissions, roles, authentication methods, or group memberships.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 0e9bb78def43… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DC0010Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.