DET0096: Account Manipulation Behavior Chain Detection
DET0096 is a detection strategy for finding behavior chains associated with Account Manipulation. For leaders, the business issue is not a single account c...
Analyst context for executives and security teams
DET0096 is a detection strategy for finding behavior chains associated with Account Manipulation. For leaders, the business issue is not a single account change; it is whether unauthorized or risky identity changes could let an intruder preserve access or increase privileges across identity providers, cloud infrastructure, containers, or ESXi environments.
Executive priority
Prioritize this as an identity and operational resilience control question: can the organization prove who changed credentials, groups, permissions, or account security settings, and can the SOC distinguish approved administration from access preservation or privilege escalation? This matters for incident decisions, audit evidence, and reducing the chance that a compromise survives password resets or routine containment actions.
Technical view
The supplied ATT&CK relationship maps DET0096 to T1098 Account Manipulation, under persistence and privilege escalation. SOC and IR teams should validate chained detections across account lifecycle and permission-change events rather than relying only on isolated alerts. Coverage should be assessed wherever the related technique applies: Identity Provider, IaaS, Containers, and ESXi environments. Because the detection strategy object does not include official detection logic, local engineering should define correlation rules around suspicious combinations of credential changes, group or permission modifications, repeated password updates, and security-policy subversion indicators.
Likely telemetry
- Identity provider audit logs for account, credential, group, role, and policy changes
- Cloud/IaaS control-plane audit logs for IAM permission and role modifications
- Container platform audit logs for account, service account, role, or access policy changes
- ESXi or virtualization management logs for account and privilege changes
- Directory or access-management events showing password resets, password changes, MFA/security setting changes, or group membership updates
Detection direction
- Validate correlations that connect multiple account or permission changes over time, especially when they affect privileged, service, administrative, or high-value accounts.
- Tune for legitimate administrative workflows, onboarding/offboarding, emergency access, and scheduled IAM maintenance to reduce false positives.
- Look for blind spots where identity changes occur outside the central IdP, such as cloud-native IAM, container control planes, or ESXi management interfaces.
- Ensure detections preserve enough context for IR: actor, target account, previous value, new value, source system, time sequence, and approval evidence where available.
- Use the T1098 relationship to align alert triage with persistence and privilege-escalation hypotheses rather than treating account changes as purely administrative events.
Mitigation priorities
- Establish strong change control and review for privileged account, group, role, credential, and security-policy modifications.
- Apply least privilege and periodic access reviews across IdP, IaaS, container, and ESXi administration paths where applicable.
- Protect administrative accounts with hardened authentication and monitored break-glass procedures.
- Retain audit logs long enough to reconstruct account manipulation chains during incident response.
- Regularly test whether SOC detections and IR playbooks can identify and investigate unauthorized account manipulation behavior.
Analyst notes and limits
The source object is a detection strategy named Account Manipulation Behavior Chain Detection and is related to ATT&CK technique T1098 Account Manipulation. The practical value is in validating end-to-end identity-change visibility and correlation across environments where account manipulation can support persistence or privilege escalation.
The supplied detection strategy has no official description, detection text, tactics, or platforms of its own. Platform and tactic context comes from the relationship to T1098. Local telemetry, identity architecture, and administrative workflows are required to convert this into precise detection logic.
Account Manipulation Behavior Chain Detection
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1098 | Account Manipulation | This object detects Account Manipulation. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8edfd3407e1c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0096Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.