Use Case: Account Manipulation

Vendor: Absolute

Product	MITRE ATT&CK® TTP	Content
Absolute SIEM Connector	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Vendor: Accellion

Product	MITRE ATT&CK® TTP	Content
Kiteworks	T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	4 Rules 1 Models

Vendor: Airlock

Product	MITRE ATT&CK® TTP	Content
Airlock Allowlisting	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Vendor: Amazon

Product	MITRE ATT&CK® TTP	Content
AWS CloudTrail	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models
AWS WAF	T1098 - Account Manipulation	1 Rules

Vendor: Apache

Product	MITRE ATT&CK® TTP	Content
Apache Subversion	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Vendor: Auth0

Product	MITRE ATT&CK® TTP	Content
Auth0	T1098 - Account Manipulation T1136 - Create Account T1531 - Account Access Removal	3 Rules 1 Models

Vendor: BeyondTrust

Product	MITRE ATT&CK® TTP	Content
BeyondInsight	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1136.002 - T1136.002 T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	47 Rules 21 Models
BeyondTrust	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	17 Rules 8 Models
BeyondTrust Privileged Identity	T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	4 Rules 1 Models
BeyondTrust Secure Remote Access	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Vendor: Check Point

Product	MITRE ATT&CK® TTP	Content
Check Point NGFW	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1484 - Group Policy Modification	7 Rules 7 Models
Check Point Security Gateway	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1484 - Group Policy Modification	7 Rules 7 Models

Vendor: Cisco

Product	MITRE ATT&CK® TTP	Content
AnyConnect	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1484 - Group Policy Modification	7 Rules 7 Models
Cisco	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models
Cisco ACS	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	14 Rules 7 Models
Cisco Adaptive Security Appliance	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1484 - Group Policy Modification T1531 - Account Access Removal T1559.002 - T1559.002	24 Rules 14 Models
Cisco Firepower	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1484 - Group Policy Modification T1531 - Account Access Removal T1559.002 - T1559.002	24 Rules 14 Models
Cisco IOS	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	14 Rules 7 Models
Cisco ISE	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models
Duo Access	T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1136.002 - T1136.002 T1531 - Account Access Removal	34 Rules 14 Models

Vendor: Citrix

Product	MITRE ATT&CK® TTP	Content
Citrix Gateway	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1484 - Group Policy Modification T1531 - Account Access Removal T1559.002 - T1559.002	24 Rules 14 Models
Citrix ShareFile	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Vendor: Click Studios

Product	MITRE ATT&CK® TTP	Content
Passwordstate	T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	27 Rules 13 Models

Vendor: Cloudflare

Product	MITRE ATT&CK® TTP	Content
Cloudflare Insights	T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account	36 Rules 18 Models

Vendor: Code42

Product	MITRE ATT&CK® TTP	Content
Code42 Incydr	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Vendor: CrowdStrike

Product	MITRE ATT&CK® TTP	Content
Falcon	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	17 Rules 8 Models

Vendor: CyberArk

Product	MITRE ATT&CK® TTP	Content
Cyberark Privilege Access Management	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Vendor: Delinea

Product	MITRE ATT&CK® TTP	Content
Centrify Infrastructure Services	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	14 Rules 7 Models
Centrify Zero Trust Privilege Services	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Vendor: Dell

Product	MITRE ATT&CK® TTP	Content
Sonicwall	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1484 - Group Policy Modification	7 Rules 7 Models

Vendor: Digital Guardian

Product	MITRE ATT&CK® TTP	Content
Digital Guardian Endpoint Protection	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	17 Rules 8 Models

Vendor: Dropbox

Product	MITRE ATT&CK® TTP	Content
Dropbox	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1484 - Group Policy Modification	10 Rules 7 Models

Vendor: Dtex Systems

Product	MITRE ATT&CK® TTP	Content
DTEX InTERCEPT	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	14 Rules 7 Models

Vendor: ESET

Product	MITRE ATT&CK® TTP	Content
ESET Endpoint Security	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Vendor: Epic

Product	MITRE ATT&CK® TTP	Content
Epic SIEM	T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	4 Rules 1 Models

Vendor: Exabeam

Product	MITRE ATT&CK® TTP	Content
Search	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Vendor: Extreme Networks

Product	MITRE ATT&CK® TTP	Content
Zebra WLAN Management	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Vendor: F5

Product	MITRE ATT&CK® TTP	Content
F5 Access Policy Manager	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1484 - Group Policy Modification	7 Rules 7 Models
F5 Advanced Web Application Firewall	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	14 Rules 7 Models
F5 BIG-IP	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1484 - Group Policy Modification	7 Rules 7 Models

Vendor: FTP

Product	MITRE ATT&CK® TTP	Content
FTP	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Vendor: Fortinet

Product	MITRE ATT&CK® TTP	Content
Fortinet UTM	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models
Fortinet VPN	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1484 - Group Policy Modification	7 Rules 7 Models

Vendor: GitHub

Product	MITRE ATT&CK® TTP	Content
GitHub	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Vendor: Google

Product	MITRE ATT&CK® TTP	Content
Google Cloud Platform	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models
Google Workspace	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Vendor: HP

Product	MITRE ATT&CK® TTP	Content
Aruba Mobility Master	T1098 - Account Manipulation T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1136.002 - T1136.002	29 Rules 13 Models
HPE Comware	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	14 Rules 7 Models

Vendor: HashiCorp

Product	MITRE ATT&CK® TTP	Content
HashiCorp Vault	T1098 - Account Manipulation	1 Rules

Vendor: HelpSystems

Product	MITRE ATT&CK® TTP	Content
Powertech Identity and Access Manager	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	14 Rules 7 Models

Vendor: Huawei

Product	MITRE ATT&CK® TTP	Content
Huawei Unified Security Gateway	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	14 Rules 7 Models

Vendor: IBM

Product	MITRE ATT&CK® TTP	Content
IBM Mainframe	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	14 Rules 7 Models
IBM Resource Access Control Facility	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Vendor: Infoblox

Product	MITRE ATT&CK® TTP	Content
BloxOne DDI	T1098 - Account Manipulation	1 Rules

Vendor: Ipswitch

Product	MITRE ATT&CK® TTP	Content
MoveIt Transfer	T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account	36 Rules 18 Models

Vendor: Ivanti

Product	MITRE ATT&CK® TTP	Content
Pulse Secure	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1484 - Group Policy Modification T1531 - Account Access Removal	12 Rules 8 Models

Vendor: Juniper Networks

Product	MITRE ATT&CK® TTP	Content
Junos OS	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	14 Rules 7 Models

Vendor: Kemp

Product	MITRE ATT&CK® TTP	Content
Kemp LoadMaster	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Vendor: LanScope

Product	MITRE ATT&CK® TTP	Content
LanScope Cat	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	17 Rules 8 Models

Vendor: LastPass

Product	MITRE ATT&CK® TTP	Content
LastPass	T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1136.002 - T1136.002	33 Rules 14 Models

Vendor: ManageEngine

Product	MITRE ATT&CK® TTP	Content
PAM360	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Vendor: McAfee

Product	MITRE ATT&CK® TTP	Content
Skyhigh Networks CASB	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Vendor: Microsoft

Product	MITRE ATT&CK® TTP	Content
Azure	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models
Azure AD Activity Logs	T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	4 Rules 1 Models
Azure MFA	T1098 - Account Manipulation	1 Rules
Azure Monitor	T1078.004 - Valid Accounts: Cloud Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136.003 - Create Account: Create: Cloud Account	9 Rules 4 Models
Azure Monitor - VM Insights	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	14 Rules 7 Models
Event Viewer - ADFS	T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	4 Rules 1 Models
Event Viewer - AzureADPasswordProtection-DCAgent	T1098 - Account Manipulation	1 Rules
Event Viewer - DHCP-Server	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models
Event Viewer - DNSServer	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	14 Rules 7 Models
Event Viewer - PowerShell	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	14 Rules 7 Models
Event Viewer - Security	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1136.002 - T1136.002 T1207 - Rogue Domain Controller T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1484 - Group Policy Modification T1531 - Account Access Removal T1559.002 - T1559.002	108 Rules 53 Models
Event Viewer - System	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	17 Rules 8 Models
Event Viewer - TerminalServices-Gateway	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models
Microsoft 365	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	17 Rules 8 Models
Microsoft CAS	T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	4 Rules 1 Models
Microsoft Defender for Endpoint	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	14 Rules 7 Models
Microsoft Exchange	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models
Sysmon	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	17 Rules 8 Models
Windows	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	17 Rules 8 Models

Vendor: Mimecast

Product	MITRE ATT&CK® TTP	Content
Mimecast Secure Email Gateway	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Vendor: NCP

Product	MITRE ATT&CK® TTP	Content
NCP	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1484 - Group Policy Modification	7 Rules 7 Models

Vendor: Namespace rDirectory

Product	MITRE ATT&CK® TTP	Content
Namespace rDirectory	T1098 - Account Manipulation T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1136.002 - T1136.002 T1207 - Rogue Domain Controller T1484 - Group Policy Modification T1531 - Account Access Removal	83 Rules 39 Models

Vendor: NetApp

Product	MITRE ATT&CK® TTP	Content
NetApp	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Vendor: Netskope

Product	MITRE ATT&CK® TTP	Content
Netskope Security Cloud	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Vendor: Netwrix

Product	MITRE ATT&CK® TTP	Content
Netwrix Auditor	T1098 - Account Manipulation	1 Rules

Vendor: Nortel Contivity

Product	MITRE ATT&CK® TTP	Content
Nortel Contivity VPN	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1484 - Group Policy Modification	7 Rules 7 Models

Vendor: Okta

Product	MITRE ATT&CK® TTP	Content
Okta Adaptive MFA	T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1136.002 - T1136.002	55 Rules 24 Models

Vendor: OneLogin

Product	MITRE ATT&CK® TTP	Content
OneLogin	T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	4 Rules 1 Models

Vendor: Open VPN

Product	MITRE ATT&CK® TTP	Content
Open VPN	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1484 - Group Policy Modification	7 Rules 7 Models

Vendor: Oracle

Product	MITRE ATT&CK® TTP	Content
Oracle Public Cloud	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Vendor: Palo Alto Networks

Product	MITRE ATT&CK® TTP	Content
GlobalProtect	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1484 - Group Policy Modification	10 Rules 7 Models
Palo Alto NGFW	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1484 - Group Policy Modification	7 Rules 7 Models

Vendor: Password Manager Pro

Product	MITRE ATT&CK® TTP	Content
Password Manager Pro	T1098 - Account Manipulation	1 Rules

Vendor: Ping Identity

Product	MITRE ATT&CK® TTP	Content
Ping Identity	T1098 - Account Manipulation	1 Rules

Vendor: Proofpoint

Product	MITRE ATT&CK® TTP	Content
ObserveIT	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	14 Rules 7 Models

Vendor: Quest Software

Product	MITRE ATT&CK® TTP	Content
Quest Change Auditor for Active Directory	T1098 - Account Manipulation T1136 - Create Account T1207 - Rogue Domain Controller T1484 - Group Policy Modification	69 Rules 33 Models

Vendor: RSA

Product	MITRE ATT&CK® TTP	Content
SecurID	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1484 - Group Policy Modification	7 Rules 7 Models

Vendor: Rubrik

Product	MITRE ATT&CK® TTP	Content
Rubrik Cloud Data Management	T1098 - Account Manipulation T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1136.002 - T1136.002	29 Rules 13 Models

Vendor: SAP

Product	MITRE ATT&CK® TTP	Content
SAP	T1098 - Account Manipulation T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1136.002 - T1136.002 T1531 - Account Access Removal	31 Rules 13 Models

Vendor: Sailpoint

Product	MITRE ATT&CK® TTP	Content
IdentityNow	T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	4 Rules 1 Models

Vendor: Salesforce

Product	MITRE ATT&CK® TTP	Content
Salesforce	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Vendor: SecureAuth

Product	MITRE ATT&CK® TTP	Content
SecureAuth IDP	T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	4 Rules 1 Models

Vendor: SecureNet

Product	MITRE ATT&CK® TTP	Content
SecureNet	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1484 - Group Policy Modification	7 Rules 7 Models

Vendor: Semperis

Product	MITRE ATT&CK® TTP	Content
Semperis DSP	T1207 - Rogue Domain Controller T1484 - Group Policy Modification	31 Rules 16 Models

Vendor: SentinelOne

Product	MITRE ATT&CK® TTP	Content
Singularity Platform	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1136.002 - T1136.002 T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	43 Rules 20 Models

Vendor: ServiceNow

Product	MITRE ATT&CK® TTP	Content
ServiceNow	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Vendor: Shibboleth

Product	MITRE ATT&CK® TTP	Content
Shibboleth	T1098 - Account Manipulation	1 Rules

Vendor: SkySea

Product	MITRE ATT&CK® TTP	Content
SkySea ClientView	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	17 Rules 8 Models

Vendor: Specops

Product	MITRE ATT&CK® TTP	Content
Specops Password	T1098 - Account Manipulation	1 Rules

Vendor: SunOne

Product	MITRE ATT&CK® TTP	Content
SunOne	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Vendor: Symantec

Product	MITRE ATT&CK® TTP	Content
Symantec Advanced Threat Protection	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	17 Rules 8 Models
Symantec Critical System Protection	T1098 - Account Manipulation T1136 - Create Account	33 Rules 17 Models
Symantec Endpoint Protection	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Vendor: Tanium

Product	MITRE ATT&CK® TTP	Content
Tanium Cloud Platform	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models
Tanium Core Platform	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	14 Rules 7 Models
Tanium Integrity Monitor	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	14 Rules 7 Models

Vendor: Trend Micro

Product	MITRE ATT&CK® TTP	Content
Deep Discovery Inspector	T1098 - Account Manipulation	1 Rules

Vendor: Unix

Product	MITRE ATT&CK® TTP	Content
Auditbeat	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	14 Rules 7 Models
Unix	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1136.002 - T1136.002 T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	70 Rules 31 Models
Unix Auditd	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1136.002 - T1136.002 T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	48 Rules 21 Models
Unix Named	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models
Unix dhcpd	T1098 - Account Manipulation	1 Rules

Vendor: VMware

Product	MITRE ATT&CK® TTP	Content
Carbon Black App Control	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	14 Rules 7 Models
Carbon Black CES	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	14 Rules 7 Models
Carbon Black EDR	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559.002 - T1559.002	14 Rules 7 Models
VMware AirWatch	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models
VMware ESXi	T1098 - Account Manipulation	1 Rules
VMware Horizon	T1098 - Account Manipulation	1 Rules

Vendor: Vectra

Product	MITRE ATT&CK® TTP	Content
Vectra Cognito Detect	T1098 - Account Manipulation	1 Rules

Vendor: Wiz

Product	MITRE ATT&CK® TTP	Content
Wiz	T1136 - Create Account T1531 - Account Access Removal	2 Rules 1 Models

Vendor: Zeek

Product	MITRE ATT&CK® TTP	Content
Zeek	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Vendor: Zendesk

Product	MITRE ATT&CK® TTP	Content
Zendesk	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Vendor:

Vendor: iManage

Product	MITRE ATT&CK® TTP	Content
iManage	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Vendor: oVirt

Product	MITRE ATT&CK® TTP	Content
oVirt	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models

Files

uc_account_manipulation.md

Latest commit

History

uc_account_manipulation.md

File metadata and controls

Use Case: Account Manipulation

Vendor: Absolute

Vendor: Accellion

Vendor: Airlock

Vendor: Amazon

Vendor: Apache

Vendor: Auth0

Vendor: BeyondTrust

Vendor: Check Point

Vendor: Cisco

Vendor: Citrix

Vendor: Click Studios

Vendor: Cloudflare

Vendor: Code42

Vendor: CrowdStrike

Vendor: CyberArk

Vendor: Delinea

Vendor: Dell

Vendor: Digital Guardian

Vendor: Dropbox

Vendor: Dtex Systems

Vendor: ESET

Vendor: Epic

Vendor: Exabeam

Vendor: Extreme Networks

Vendor: F5

Vendor: FTP

Vendor: Fortinet

Vendor: GitHub

Vendor: Google

Vendor: HP

Vendor: HashiCorp

Vendor: HelpSystems

Vendor: Huawei

Vendor: IBM

Vendor: Infoblox

Vendor: Ipswitch

Vendor: Ivanti

Vendor: Juniper Networks

Vendor: Kemp

Vendor: LanScope

Vendor: LastPass

Vendor: ManageEngine

Vendor: McAfee

Vendor: Microsoft

Vendor: Mimecast

Vendor: NCP

Vendor: Namespace rDirectory

Vendor: NetApp

Vendor: Netskope

Vendor: Netwrix

Vendor: Nortel Contivity

Vendor: Okta

Vendor: OneLogin

Vendor: Open VPN

Vendor: Oracle

Vendor: Palo Alto Networks

Vendor: Password Manager Pro

Vendor: Ping Identity

Vendor: Proofpoint

Vendor: Quest Software

Vendor: RSA

Vendor: Rubrik

Vendor: SAP

Vendor: Sailpoint

Vendor: Salesforce

Vendor: SecureAuth

Vendor: SecureNet

Vendor: Semperis

Vendor: SentinelOne

Vendor: ServiceNow

Vendor: Shibboleth

Vendor: SkySea

Vendor: Specops