MITRE ATT&CK · TA0003 Persistence

T1098 Account Manipulation

Detection coverage in DCV across AWS, Azure and GCP for Account Manipulation, plus the corresponding Sigma rules in the CloudSigma library. Source data refreshed 2026-04-24.

01 What is T1098?

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials.

In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged Valid Accounts.

Platforms: Containers, ESXi, IaaS, Identity Provider, Linux, macOS, Network Devices, Office Suite, SaaS, Windows.

02 Coverage in DCV

DCV maps 20 detections across 3 cloud providers to T1098. Coverage by source:

Source Cloud Findings mapped Avg confidence
Microsoft Defender for Cloud Azure 9 0.86
AWS GuardDuty AWS 5 0.85
AWS Security Hub AWS 2 0.82
Azure Policy Azure 2 0.85
Azure Regulatory Compliance Azure 1 0.85
GCP Chronicle GCP 1 0.90
03 Detect with CloudSigma

CloudSigma ships 9 production-ready Sigma rules that detect T1098 across 9 platforms. Every rule below is validated against its source SIEM dialect before publication.

Example: AWS Account Manipulation - Access Key or Policy Modification

L1 · experimental, tune before deploy verified 2026-04-24 · sha256:30b6f1f49da8528b manifest → Verify in CloudSigma →

This rule is currently experimental. CloudSigma generated it from upstream threat intelligence; before enabling in production, tune the falsepositives section in your SIEM against your environment's known automation, service accounts and IP allowlist.

Sigma rule · CloudSigma 2026-02-06 
title: AWS Account Manipulation - Access Key or Policy Modification
id: c0f6a4d5-7e8f-4b1c-2d3e-4f5a6b7c8d9f
status: experimental
description: >
    Detects creation of new access keys or attachment of IAM policies to users or roles.
    Adversaries manipulate accounts to maintain persistence or escalate privileges by
    granting additional permissions to compromised identities.
author: CloudSigma
date: 2026-02-06
references:
    - https://attack.mitre.org/techniques/T1098/
    - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1098
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'iam.amazonaws.com'
        eventName:
            - 'CreateAccessKey'
            - 'AttachUserPolicy'
            - 'AttachRolePolicy'
            - 'PutUserPolicy'
            - 'PutRolePolicy'
    condition: selection
falsepositives:
    - Routine IAM administration by authorized personnel
    - Automated provisioning systems creating access keys for service accounts
level: medium
04 Related techniques
← Back to Persistence
Sources
  • MITRE ATT&CK, https://attack.mitre.org/techniques/T1098/
  • MITRE Tactic TA0003 Persistence, https://attack.mitre.org/tactics/TA0003/
  • MITRE Center for Threat-Informed Defense, Security Stack Mappings (https://center-for-threat-informed-defense.github.io/security-stack-mappings/)
Last verified: 2026-04-24