MITRE ATT&CK T1098 — Account Manipulation

What it does

Provides a defensive-focused skill that analyzes MITRE ATT&CK technique T1098 (Account Manipulation). It helps the agent map evidence to the ATT&CK technique, produce detection hypotheses, create triage and hunt plans, and generate mitigation and containment recommendations. The skill bundles structured metadata, templates, and rendering scripts to produce concise defensive briefs.

When to use it

Use this skill when investigating account manipulation behaviors, planning detection logic for account-related TTPs, drafting threat-hunting playbooks, conducting incident-response mapping, or preparing controlled adversary-emulation exercises. It's intended for defensive analysts and detection engineers seeking ATT&CK-mapped outputs.

What's included

• Scripts: scripts/render_brief.py (render detection briefs)
• References: references/technique-profile.json, references/detection-and-mitigation.md, references/known-threat-context.md
• Templates: detection brief, hunt plan, incident-response note, coverage assessment
• Instructions: the skill body describes an agent workflow (scope clarification, resource loading, mapping observations to ATT&CK, and safe output patterns).

Compatible agents

Best used by agents that can run local scripts and produce structured text outputs (automation-capable assistants used for security analysis, e.g., code-capable agents and automation runners).