agent security skill risk: medium
T1098 Account Manipulation Hunter
The prompt provides steps to hunt for MITRE ATT&CK T1098 account manipulation by parsing Windows Security Event Logs for specific Event IDs, detecting privileged group changes and…
- Policy sensitive
- Human review
SKILL 4 files · 2 folders
SKILL.md
--- name: hunting-for-t1098-account-manipulation description: "Hunt for MITRE ATT&CK T1098 account manipulation including shadow admin creation, SID history injection, group" --- # Hunting for T1098 Account Manipulation ## Overview MITRE ATT&CK T1098 (Account Manipulation) covers adversary actions to maintain or expand access to compromised accounts, including adding credentials, modifying group memberships, SID history injection, and creating shadow admin accounts. This skill covers detecting these techniques through Windows Security Event Log analysis (Event IDs 4738, 4728, 4732, 4756, 4670, 5136), correlating group membership changes with privilege escalation indicators, and identifying anomalous account modification patterns. ## When to Use - When investigating security incidents that require hunting for t1098 account manipulation - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Windows Security Event Logs (EVTX format) or SIEM access - Python 3.9+ with `python-evtx`, `lxml` libraries - Understanding of Active Directory group structure and SID architecture - Familiarity with MITRE ATT&CK T1098 sub-techniques ## Steps ### Step 1: Parse Account Modification Events Extract Event IDs 4738 (user account changed), 4728/4732/4756 (member added to security groups), and 5136 (directory service object modified). ### Step 2: Detect Privileged Group Changes Flag additions to Domain Admins, Enterprise Admins, Schema Admins, Administrators, and Backup Operators groups. ### Step 3: Identify Shadow Admin Indicators Detect accounts receiving AdminSDHolder protection, direct privilege assignment, or SID history injection. ### Step 4: Correlate with Attack Timeline Cross-reference account changes with authentication events to identify initial compromise and persistence establishment. ## Expected Output JSON report with detected account manipulation events, privileged group changes, shadow admin indicators, and timeline correlation.
REQUIRED CONTEXT
- Windows Security Event Logs (EVTX format) or SIEM access
TOOLS REQUIRED
- python-evtx
- lxml
EXPECTED OUTPUT
- Format
- json
- Schema
- json · detected account manipulation events, privileged group changes, shadow admin indicators, timeline correlation
- Constraints
- include detected account manipulation events
- include privileged group changes
- include shadow admin indicators
- include timeline correlation
CAVEATS
- Dependencies
- Windows Security Event Logs (EVTX format) or SIEM access
- Python 3.9+ with `python-evtx`, `lxml` libraries
- Understanding of Active Directory group structure and SID architecture
- Familiarity with MITRE ATT&CK T1098 sub-techniques
- Missing context
- Specific detection queries, code snippets, or SIEM syntax
- Exact JSON schema or example for the expected output report
- Ambiguities
- Description is truncated mid-sentence at 'group'
QUALITY
- OVERALL
- 0.60
- CLARITY
- 0.75
- SPECIFICITY
- 0.55
- REUSABILITY
- 0.70
- COMPLETENESS
- 0.45
IMPROVEMENT SUGGESTIONS
- Complete the truncated description sentence in the header.
- Expand each step with concrete query examples or pseudocode.
- Define the precise JSON structure and fields for the expected output.
USAGE
Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.
MORE FOR AGENT
- MoltPass Client for AI Agent Identitiesagentsecurity
- Supply Chain Dependency Risk Auditoragentsecurity
- Supply Chain Dependency Risk Auditoragentsecurity
- Threat Modeling Security Expertagentsecurity
- Security Bluebook Policy Builderagentsecurity
- Security Bluebook Policy Builderagentsecurity
- Security Blue Book Policy Builderagentsecurity
- Threat Modeling Security Architecture Expertagentsecurity
- Supply Chain Dependency Risk Auditoragentsecurity
- Threat Modeling Security Expertagentsecurity
- SIEM Detection Rule Tuning Guideagentsecurity
- AI File Metadata Compliance Auditoragentsecurity
- Azure Storage Misconfiguration Audit Reporteragentsecurity
- Implementing PAM for Database Accessagentsecurity
- AFL++ Coverage-Guided Fuzzing Procedureagentsecurity
- Supply Chain Attack Simulation Detectoragentsecurity
- Security Audit Fix Verifieragentsecurity
- Active Directory ACL Abuse Analyzeragentsecurity
- Privileged Access Workstation Implementation Guideagentsecurity
- SSRF Vulnerability Testing and Reporting Guideagentsecurity
- Security Audit Fix Revieweragentsecurity
- AWS IAM Privilege Escalation Detectoragentsecurity
- SSL/TLS Security Assessment with Sslyzeagentsecurity
- GCP Penetration Testing with GCPBucketBruteagentsecurity
- AWS CloudTrail Anomaly Detection Guideagentsecurity