Persistence via Account Manipulation (T1098)

MITRE ATT&CK

Persistence through account manipulation involves creating new accounts or modifying existing ones to maintain long-term access to a compromised system. Attackers leverage these accounts to avoid detection and regain access even after reboots or security measures.

How Attackers Use Account Manipulation for Persistence

Attackers can establish persistence in two main ways:

Creating a New High-Privilege Account:
- A new user account is created and added to Administrators or other privileged groups.
- The attacker ensures this account has Remote Desktop (RDP), SMB, or WinRM access.
- If the firewall blocks these services, the attacker may open the required ports.
Using Existing Accounts:
- Low-privileged accounts can be added to Backup Operators or similar groups.
- Backup Operators can read/write any file or registry key, enabling further escalation.
- UAC bypass can be performed by enabling LocalAccountTokenFilterPolicy, granting full admin privileges remotely.

Detection & Logging

Windows Event Logs (⭐ = High Priority)

Event ID	Description	Notes
4720 ⭐	User Account Created	Detects new local/domain account creation.
4732 ⭐	Member Added to a Privileged Group	Flags privilege escalation (e.g., adding a user to Administrators).
4738	User Account Modified	Useful for detecting suspicious changes (e.g., enabling disabled accounts).
4781	Account Name Changed	Could indicate an attacker trying to mask activity.
4624	Successful Logon	Logon Type 10 (RDP) or 3 (Network) can indicate persistence use.
4648	Explicit Credential Use	Detects account switching (e.g., `runas`).
4672 ⭐	Special Privilege Assigned	Indicates high-privilege login (e.g., Administrator, SYSTEM).

Sysmon Event IDs (⭐ = High Priority)

Event ID	Description	Notes
1 ⭐	Process Creation	Track suspicious processes (e.g., `net user`, `wmic`, PowerShell).
12	Registry Modification	Detects changes to `LocalAccountTokenFilterPolicy` (UAC Bypass).
13 ⭐	Registry Key/Value Modification	Look for `HKLM\\SAM\\SAM\\Domains\\Account\\Users`.
3	Network Connection	Monitor for unexpected remote access via SMB, WinRM, RDP.

Threat Hunting Tips

Monitor for unauthorized account creations (Event ID 4720) and privilege changes (4732).
Track logons (Event ID 4624) from unusual accounts, especially over RDP (Logon Type 10).
Correlate Sysmon Event ID 12 (Registry Modification) with privilege escalation attempts.
Watch for accounts added to Backup Operators (less monitored but can access system files).
Detect repeated failed logins (Event ID 4625) followed by a successful one—potential password brute force.