Last reviewed:
T1098 is the persistence move of modifying existing accounts to maintain or escalate access, often the step following a credential-theft incident. DCV's high-fidelity signal is GuardDuty's Persistence:IAMUser/NetworkPermissions finding: permission-boundary changes that almost always indicate attacker privilege persistence. GCP SCC adds ANOMALOUS_IAM_GRANT for grant-level anomalies and SERVICE_ACCOUNT_KEY_CREATION for the cloud-native equivalent of credential persistence. T1098 deserves alerting parity with the initial credential compromise that usually precedes it.
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.
In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged Valid Accounts.
Platforms: Containers, ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows.
DCV maps 20 detections across 3 cloud providers to T1098. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| Microsoft Defender for Cloud | Azure | 9 | 0.86 |
| AWS GuardDuty | AWS | 5 | 0.85 |
| AWS Security Hub | AWS | 2 | 0.82 |
| Azure Policy | Azure | 2 | 0.85 |
| Azure Regulatory Compliance | Azure | 1 | 0.85 |
| GCP Chronicle | GCP | 1 | 0.90 |
CloudSigma ships 20 production-ready Sigma rules that detect T1098 across 9 platforms. Every rule below is validated against its source SIEM dialect before publication.
title: Linux Privileged User or Group Membership Change via auditd
id: 9cc851b0-a4f7-427a-9266-f14a4d184b3c
status: test
description: >
Detects user account creation, deletion, group-membership changes
and authentication-token resets on Linux hosts via auditd USER_*
and GRP_* record types. Adversaries use these to add backdoor
accounts, grant themselves wheel/sudo, or rotate credentials on a
host they have already compromised. The rule is intentionally
narrow on record type (no syscall numbers, no exe filters) so it
fires on every privileged change including changes made by root —
which is precisely when this matters most.
author: CloudSigma
date: 2026-04-24
references:
- https://attack.mitre.org/techniques/T1098/
- https://access.redhat.com/articles/4409591
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1098
logsource:
product: linux
service: auditd
detection:
selection_user_lifecycle:
type:
- ADD_USER
- DEL_USER
- USER_MGMT
- USER_CHAUTHTOK
- ACCT_LOCK
- ACCT_UNLOCK
selection_group_lifecycle:
type:
- ADD_GROUP
- DEL_GROUP
- GRP_MGMT
selection_success:
res: success
condition: (selection_user_lifecycle or selection_group_lifecycle) and selection_success
falsepositives:
- Configuration-management runs (Ansible, Puppet, Chef, cloud-init) provisioning new user accounts during host bootstrap
- Identity-management agents (FreeIPA, SSSD, JumpCloud) reconciling directory state
- Operator-driven user lifecycle from a known jump host
fields:
- acct
- uid
- auid
- exe
- hostname
- res
level: medium
T1098 is the persistence move of modifying existing accounts to maintain or escalate access, often the step following a credential-theft incident. DCV's high-fidelity signal is GuardDuty's Persistence:IAMUser/NetworkPermissions finding: permission-boundary changes that almost always indicate attacker privilege persistence. GCP SCC adds ANOMALOUS_IAM_GRANT for grant-level anomalies and SERVICE_ACCOUNT_KEY_CREATION for the cloud-native equivalent of credential persistence. T1098 deserves alerting parity with the initial credential compromise that usually precedes it.
DCV maps 20 cloud-native detections to T1098 across 3 cloud providers, drawn from AWS GuardDuty, AWS Security Hub, Azure Policy, Azure Regulatory Compliance, GCP Chronicle and Microsoft Defender for Cloud.
T1098 is part of MITRE ATT&CK TA0003 Persistence: How adversaries keep their foothold across reboots and credential rotations.
CloudSigma ships 13 validated Sigma rules for T1098 across AWS CloudTrail, Azure Activity, Entra ID Audit, GCP Audit Logs, Kubernetes Audit, Linux auditd, Okta System Log, Windows Security and Windows Sysmon. Each rule is validated against its source SIEM dialect before publication.