T1531: Account Access Removal
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a System Shutdown/Reboot to set malicious changes into place.
In Windows, Net utility, Set-LocalUser
and Set-ADAccountPassword
PowerShell cmdlets may be used by adversaries to modify user accounts. In Linux, the passwd
utility may be used to change passwords. Accounts could also be disabled by Group Policy.
Adversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as Data Destruction and Defacement, in order to impede incident response/recovery before completing the Data Encrypted for Impact objective.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
yandex_cloud: PT-CR-1267: Yandex_Cloud_Symmetric_Key_Access_Manage: Access rights to a symmetric key are changed yandex_cloud: PT-CR-817: Yandex_Cloud_Secret_Access_Manage: Access rights to a secret are changed yandex_cloud: PT-CR-819: Yandex_Cloud_Symmetric_Key_Removal: A symmetric key is removed yandex_cloud: PT-CR-810: Yandex_Cloud_Access_Key_Manipulation: An access key is created or removed mongo_database: PT-CR-1954: MongoDB_Mass_Drop_User: Mass dropping of users in a MongoDB mongo_database: PT-CR-1955: MongoDB_Revoke_High_Role: Administrator permissions are revoked from a user enterprise_1c_and_bitrix: PT-CR-675: Enterprise_1C_Multiple_User_Password_Change: Multiple password changes for the same account enterprise_1c_and_bitrix: PT-CR-677: Enterprise_1C_Multiple_User_Lock: Batch account locking microsoft_mecm: PT-CR-1898: MECM_Remove_Accounts: Deleting an account from MECM hashicorp: PT-CR-2140: Hashicorp_Vault_Important_Secrets_Rewrite: Attackers can overwrite important secrets to disrupt availability or functionality of specific systems or gain access to them hashicorp: PT-CR-2142: Hashicorp_Vault_Important_Secrets_Deleted: Attackers can delete important secrets to disrupt availability or functionality of specific systems mitre_attck_impact: PT-CR-495: Remove_Access_To_Sensitive_Account: Detection of attempts to block access to an account that is significant for IS mitre_attck_impact: PT-CR-2418: NGate_Account_Access_Removal: A large number of user sessions is killed, which may indicate a compromise of the CryptoPro NGate administrator account mysql_database: PT-CR-622: MySQL_Disconnect_User: Attempt to terminate a user session mysql_database: PT-CR-625: MySQL_User_Operation: Attempt to change or delete a user account zabbix: PT-CR-2050: Zabbix_Critical_Group_Manipulate: A user performed an action with a critical group in Zabbix. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. zabbix: PT-CR-2052: Zabbix_Critical_Role_Manipulate: A user performed an action with a critical role in Zabbix. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. zabbix: PT-CR-2054: Zabbix_User_Multiple_Password_Change: A user changed a password in Zabbix multiple times. This could be an attacker's attempt to gain persistence. zabbix: PT-CR-2051: Zabbix_Critical_User_Manipulate: A user changed a critical user account in Zabbix. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. freeipa: PT-CR-1958: FreeIPA_Multiple_User_Password_Change: Multiple user password changes freeipa: PT-CR-1956: FreeIPA_Privileged_Account_Blocking: A user with escalated privileges was locked freeipa: PT-CR-1959: FreeIPA_Multiple_User_Lock: Multiple user lockouts sap_java_suspicious_user_activity: PT-CR-543: SAPASJAVA_User_Password_Changed: An account password is changed multiple times sap_java_suspicious_user_activity: PT-CR-542: SAPASJAVA_User_Locked_After_Too_Many_Password_Logon_Attempts: A user is locked after multiple failed attempts to log in network_devices_compromise: PT-CR-1351: Checkpoint_Admin_Modification: Administrators were added or deleted on a Checkpoint device sap_suspicious_user_activity: PT-CR-249: SAPASABAP_Lock_Many_Accounts: Mass locking of user accounts sap_suspicious_user_activity: PT-CR-232: SAPASABAP_Critical_Action_By_Non_Admin_User: A non admin user performed a critical action in the system apache_cassandra_database: PT-CR-2086: Apache_Cassandra_Revoke_All_Permissions: All permissions were revoked from a user. This may indicate an attacker trying to prevent another user from interfering with malicious activity. microsoft_exchange: PT-CR-2353: Exchange_Mass_Deletion_Of_Mailboxes: A user deleted mailboxes in Exchange. This could be an attacker's attempt to make system and network resources unavailable. microsoft_exchange: PT-CR-2362: Exchange_Mass_Deletion_Of_Groups: A user deleted groups in Exchange. This could be an attacker's attempt to make system and network resources unavailable. microsoft_exchange: PT-CR-2360: Exchange_Critical_Group_Manipulate: A user changed or deleted a critical group in Exchange. This could be an attacker's attempt to escalate privileges or disrupt system availability. microsoft_exchange: PT-CR-2355: Exchange_Admin_Role_Actions: A user performed an action with a management role in Exchange. This may indicate an attacker's attempt to escalate privileges or disrupt availability of system resources. vmware_aria: PT-CR-2382: Aria_Operations_Admin_Panel_Admin_Locked_Too_Many_Logons: A user is locked. Locking a user can indicate an attacker attempting to block access to the account in the Aria Operations administration interface. vmware_aria: PT-CR-2370: AOFL_Role_Manage: A new role with critical permissions can indicate an attacker attempting to escalate privileges and/or gain persistence in the Aria Operations for Logs system vmware_aria: PT-CR-2380: Aria_Operations_User_Manage: The deletion or change of multiple accounts can indicate an attacker attempting to block owners from accessing Aria Operations vmware_aria: PT-CR-2377: AOFL_User_Locked_Too_Many_Logons: A user lockout can indicate an attacker attempting to block access to an account in Aria Operations for Logs vmware_aria: PT-CR-2381: AOFL_User_Manage: The deletion or change of multiple accounts can indicate an attacker attempting to block owners from accessing Aria Operations for Logs vmware_aria: PT-CR-2368: Aria_Operations_Change_Admin_Password_Via_CLI: Changing the administrator password in Aria Operations from the command line without the old password can indicate an attacker attempting to block access to the owner and/or access the Aria Operations data vk_cloud: PT-CR-2102: VK_Cloud_Keypair_Operation: A user who is not on the allowed users list performed an operation with a key pair. This may indicate an attacker's attempt to create a rogue connection to a virtual machine via SSH or limit the ability to legitimately connect to a host. vk_cloud: PT-CR-2105: VK_Cloud_VM_Security_Group_Operation: A user who is not on the allowed users list changed a security group list of a virtual machine, which may indicate an attacker's attempt to change the network configuration active_directory_attacks: PT-CR-1342: Subrule_PowerView_Objects_Actions: Remote change of domain objects (domain users and groups, machine accounts) using the PowerView tool (PowerViewPy) is detected active_directory_attacks: PT-CR-1344: Remote_Actions_With_Domain_Objects: A PowerView script was used. Attackers use the PowerView tool for reconnaissance in Windows domains. security_code_secret_net_lsp: PT-CR-1895: SecretNet_LSP_Manipulate_User_With_Critical_Roles: Critical account change security_code_secret_net_lsp: PT-CR-1887: SecretNet_LSP_Multiple_User_Password_Change: Multiple password changes for the same account
Detection
ID | DS0026 | Data source and component | Active Directory: Active Directory Object Modification | Description | Monitor for changes made to AD settings for unexpected modifications to user accounts, such as deletions or potentially malicious changes to user attributes (credentials, status, etc.). |
---|
ID | DS0002 | Data source and component | User Account: User Account Modification | Description | Monitor for changes made to user accounts for unexpected modification of properties, such as passwords or status (enabled/disabled). Windows event logs may designate activity associated with an adversary's attempt to remove access to an account: Event ID 4723 - An attempt was made to change an account's password Event ID 4724 - An attempt was made to reset an account's password Event ID 4725 - A user account was disabled Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. |
---|
ID | DS0002 | Data source and component | User Account: User Account Deletion | Description | Monitor for unexpected deletions of user accounts. Windows event logs may designate activity associated with an adversary's attempt to remove an account (ex: Event ID 4726 - A user account was deleted). Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. |
---|