T1531: Account Access Removal

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a System Shutdown/Reboot to set malicious changes into place.

In Windows, Net utility, Set-LocalUser and Set-ADAccountPassword PowerShell cmdlets may be used by adversaries to modify user accounts. In Linux, the passwd utility may be used to change passwords. Accounts could also be disabled by Group Policy.

Adversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as Data Destruction and Defacement, in order to impede incident response/recovery before completing the Data Encrypted for Impact objective.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

sap_suspicious_user_activity: PT-CR-232: SAPASABAP_Critical_Action_By_Non_Admin_User: A non admin user performed a critical action in the system sap_suspicious_user_activity: PT-CR-249: SAPASABAP_Lock_Many_Accounts: Mass locking of user accounts sap_java_suspicious_user_activity: PT-CR-542: SAPASJAVA_User_Locked_After_Too_Many_Password_Logon_Attempts: A user is locked after multiple failed attempts to log in sap_java_suspicious_user_activity: PT-CR-543: SAPASJAVA_User_Password_Changed: An account password is changed multiple times yandex_cloud: PT-CR-819: Yandex_Cloud_Symmetric_Key_Removal: A symmetric key is removed yandex_cloud: PT-CR-1267: Yandex_Cloud_Symmetric_Key_Access_Manage: Access rights to a symmetric key are changed yandex_cloud: PT-CR-810: Yandex_Cloud_Access_Key_Manipulation: An access key is created or removed yandex_cloud: PT-CR-817: Yandex_Cloud_Secret_Access_Manage: Access rights to a secret are changed microsoft_exchange: PT-CR-2360: Exchange_Critical_Group_Manipulate: A user changed or deleted a critical group in Exchange. This could be an attacker's attempt to escalate privileges or disrupt system availability. microsoft_exchange: PT-CR-2355: Exchange_Admin_Role_Actions: A user performed an action with a management role in Exchange. This may indicate an attacker's attempt to escalate privileges or disrupt availability of system resources. microsoft_exchange: PT-CR-2362: Exchange_Mass_Deletion_Of_Groups: A user deleted groups in Exchange. This could be an attacker's attempt to make system and network resources unavailable. microsoft_exchange: PT-CR-2353: Exchange_Mass_Deletion_Of_Mailboxes: A user deleted mailboxes in Exchange. This could be an attacker's attempt to make system and network resources unavailable. mitre_attck_impact: PT-CR-495: Remove_Access_To_Sensitive_Account: Detection of attempts to block access to an account that is significant for IS mitre_attck_impact: PT-CR-2418: NGate_Account_Access_Removal: A large number of user sessions is killed, which may indicate a compromise of the CryptoPro NGate administrator account elasticsearch: PT-CR-2732: Elasticsearch_Remove_Users: Bulk deletion of users from the Elasticsearch database elasticsearch: PT-CR-2708: Elasticsearch_Critical_Users_Modify: A critical user configuration was changed in the Elasticsearch database. This may indicate that the user's account was compromised. apache_cassandra_database: PT-CR-2086: Apache_Cassandra_Revoke_All_Permissions: All permissions were revoked from a user. This may indicate an attacker trying to prevent another user from interfering with malicious activity. vk_cloud: PT-CR-2102: VK_Cloud_Keypair_Operation: A user who is not on the allowed users list performed an operation with a key pair. This may indicate an attacker's attempt to create a rogue connection to a virtual machine via SSH or limit the ability to legitimately connect to a host. vk_cloud: PT-CR-2105: VK_Cloud_VM_Security_Group_Operation: A user who is not on the allowed users list changed a security group list of a virtual machine, which may indicate an attacker's attempt to change the network configuration kontinent: PT-CR-2400: Kontinent_Account_Manipulation: An action with a resource user account or administrator account was performed. This can indicate an attacker attempting to create a new account for themselves or change the properties of an old account to gain access to the necessary network resources or escalate privileges. kontinent: PT-CR-2399: Kontinent_Role_Manipulation: An action with an administrator role was performed. An attacker can create, change, or delete administrator roles to gain more privileges or deprive legitimate administrators of privileges. active_directory_attacks: PT-CR-1344: Remote_Actions_With_Domain_Objects: A PowerView script was used. Attackers use the PowerView tool for reconnaissance in Windows domains. active_directory_attacks: PT-CR-1342: Subrule_PowerView_Objects_Actions: Remote change of domain objects (domain users and groups, machine accounts) using the PowerView tool (PowerViewPy) is detected bitbucket: PT-CR-2573: Bitbucket_Global_SSH_Setting_Disable: SSH access to the Bitbucket server was disabled. This may be an attacker's attempt to limit the server functionality. bitbucket: PT-CR-2700: Bitbucket_Important_Permission_Revoke: A user permission was revoked in Bitbucket passwork: PT-CR-2613: Passwork_Mass_Deletion_Of_Users: A user deleted accounts in Passwork. This could be an attacker's attempt to make system or network resources unavailable. passwork: PT-CR-2608: Passwork_Critical_User_Manipulation: A user performed a suspicious action on a critical user account in Passwork Password Manager. Such actions include role revocation, password harvesting, and user deletion. This could be an attacker's action to escalate privileges or make system and network resources inaccessible mitre_attck_persistence: PT-CR-2604: Unauthorized_Reset_Password_For_Sensitive_Users: Unexpected reset of a critical user's password. This may indicate that the user's account was compromised. enterprise_1c_and_bitrix: PT-CR-677: Enterprise_1C_Multiple_User_Lock: Batch account locking enterprise_1c_and_bitrix: PT-CR-675: Enterprise_1C_Multiple_User_Password_Change: Multiple password changes for the same account security_code_secret_net_lsp: PT-CR-1887: SecretNet_LSP_Multiple_User_Password_Change: Multiple password changes for the same account security_code_secret_net_lsp: PT-CR-1895: SecretNet_LSP_Manipulate_User_With_Critical_Roles: Critical account change hashicorp: PT-CR-2142: Hashicorp_Vault_Important_Secrets_Deleted: Attackers can delete important secrets to disrupt availability or functionality of specific systems hashicorp: PT-CR-2140: Hashicorp_Vault_Important_Secrets_Rewrite: Attackers can overwrite important secrets to disrupt availability or functionality of specific systems or gain access to them vipnet_tias: PT-CR-2628: ViPNet_TIAS_Mass_Deletion_Of_Users: A user deleted accounts in ViPNet TIAS. This could be an attacker's attempt to make system and network resources unavailable. vipnet_tias: PT-CR-2627: ViPNet_TIAS_Critical_User_Manipulation: A user performed an action with a critical user account in ViPNet TIAS. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. mysql_database: PT-CR-625: MySQL_User_Operation: Attempt to change or delete a user account mysql_database: PT-CR-622: MySQL_Disconnect_User: Attempt to terminate a user session indeed_pam: PT-CR-2895: Indeed_Important_PAM_Account_Actions: A user performed an action with a critical user account in Indeed PAM. This could be an attacker's attempt to escalate privileges or make system or network resources unavailable. indeed_pam: PT-CR-2897: Indeed_Important_PAM_Host_Account_Actions: A user performed an action with a critical user account on a host in Indeed PAM. This could be an attacker's attempt to escalate privileges or make system or network resources unavailable. indeed_pam: PT-CR-2894: Indeed_Important_PAM_User_Group_Actions: A user performed an action with a critical group in Indeed PAM. This could be an attacker's attempt to escalate privileges or make system or network resources unavailable. indeed_pam: PT-CR-2887: Indeed_Important_Applications_Actions: Suspicious actions with applications on the critical application list in Indeed PAM application network_devices_compromise: PT-CR-1351: Checkpoint_Admin_Modification: Administrators were added or deleted on a Checkpoint device samba_active_directory_attacks: PT-CR-2589: SambaDC_Multiple_User_Password_Change: Multiple user password changes samba_active_directory_attacks: PT-CR-2587: SambaDC_Multiple_User_Lock: Multiple user lockouts samba_active_directory_attacks: PT-CR-2588: SambaDC_User_Locked_Too_Many_Logons: A user was locked after multiple login failures microsoft_mecm: PT-CR-1898: MECM_Remove_Accounts: Deleting an account from MECM capabilities_account_manipulation: PT-CR-2880: CAP_User_Rights_Revoked: Removing a user from a group and/or revoking a role from a user in application software. This could be an attacker's attempt to hinder response and deny access to legitimate users. capabilities_account_manipulation: PT-CR-2878: CAP_User_Blocking_Or_Removing: Blocking, disabling, or deleting an account in application software. This could be an attacker's attempt to disrupt the software's functionality. capabilities_account_manipulation: PT-CR-2871: CAP_Group_Or_Role_Removing: Deletion of an arbitrary user group and/or role in application software. This could be an attacker's attempt to hinder response and deny access to legitimate users. mongo_database: PT-CR-1954: MongoDB_Mass_Drop_User: Mass dropping of users in a MongoDB mongo_database: PT-CR-1955: MongoDB_Revoke_High_Role: Administrator permissions are revoked from a user vmware_aria: PT-CR-2382: Aria_Operations_Admin_Panel_Admin_Locked_Too_Many_Logons: A user is locked. Locking a user can indicate an attacker attempting to block access to the account in the Aria Operations administration interface. vmware_aria: PT-CR-2381: AOFL_User_Manage: The deletion or change of multiple accounts can indicate an attacker attempting to block owners from accessing Aria Operations for Logs vmware_aria: PT-CR-2377: AOFL_User_Locked_Too_Many_Logons: A user lockout can indicate an attacker attempting to block access to an account in Aria Operations for Logs vmware_aria: PT-CR-2368: Aria_Operations_Change_Admin_Password_Via_CLI: Changing the administrator password in Aria Operations from the command line without the old password can indicate an attacker attempting to block access to the owner and/or access the Aria Operations data vmware_aria: PT-CR-2370: AOFL_Role_Manage: A new role with critical permissions can indicate an attacker attempting to escalate privileges and/or gain persistence in the Aria Operations for Logs system vmware_aria: PT-CR-2380: Aria_Operations_User_Manage: The deletion or change of multiple accounts can indicate an attacker attempting to block owners from accessing Aria Operations zabbix: PT-CR-2054: Zabbix_User_Multiple_Password_Change: A user changed a password in Zabbix multiple times. This could be an attacker's attempt to gain persistence. zabbix: PT-CR-2050: Zabbix_Critical_Group_Manipulate: A user performed an action with a critical group in Zabbix. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. zabbix: PT-CR-2051: Zabbix_Critical_User_Manipulate: A user changed a critical user account in Zabbix. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. zabbix: PT-CR-2052: Zabbix_Critical_Role_Manipulate: A user performed an action with a critical role in Zabbix. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. freeipa: PT-CR-1956: FreeIPA_Privileged_Account_Blocking: A user with escalated privileges was locked freeipa: PT-CR-1958: FreeIPA_Multiple_User_Password_Change: Multiple user password changes freeipa: PT-CR-1959: FreeIPA_Multiple_User_Lock: Multiple user lockouts teleport: PT-CR-2535: Teleport_Critical_Role_Manipulation: A user changed or deleted a critical role in Teleport. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. teleport: PT-CR-2530: Teleport_Critical_Lock_Created: A user locked a critical object in Teleport. This could be an attacker's attempt to make system and network resources unavailable. teleport: PT-CR-2544: Teleport_Multiple_User_Modification: A user changed a large number of user accounts in a short period of time. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable. teleport: PT-CR-2543: Teleport_Multiple_User_Locks: A user locked a large number of user accounts in a short period of time. This could be an attacker's attempt to make system and network resources unavailable. teleport: PT-CR-2534: Teleport_Critical_User_Manipulation: A user performed an action with a user account with a critical role in Teleport. This could be an attacker's attempt to escalate privileges or make system and network resources unavailable.

Detection

IDDS0026Data source and componentActive Directory: Active Directory Object ModificationDescription

Monitor for changes made to AD settings for unexpected modifications to user accounts, such as deletions or potentially malicious changes to user attributes (credentials, status, etc.).

IDDS0002Data source and componentUser Account: User Account ModificationDescription

Monitor for changes made to user accounts for unexpected modification of properties, such as passwords or status (enabled/disabled). Windows event logs may designate activity associated with an adversary's attempt to remove access to an account: Event ID 4723 - An attempt was made to change an account's password Event ID 4724 - An attempt was made to reset an account's password Event ID 4725 - A user account was disabled

Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.

IDDS0002Data source and componentUser Account: User Account DeletionDescription

Monitor for unexpected deletions of user accounts. Windows event logs may designate activity associated with an adversary's attempt to remove an account (ex: Event ID 4726 - A user account was deleted).

Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.