Home/ATT&CK Technique/Account Access Removal
ATT&CK Technique

Account Access Removal

T1531 · impact

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials, revoked permissions for SaaS platforms such as Sharepoint) to remove access to accounts. Adversaries may also subsequently log off and/or perform a System Shutdown/Reboot to set malicious changes into place.

In Windows, Net utility, Set-LocalUser and Set-ADAccountPassword PowerShell cmdlets may be used by adversaries to modify user accounts. Accounts could also be disabled by Group Policy. In Linux, the passwd utility may be used to change passwords.

On ESXi servers, accounts can be removed or modified via esxcli (system account set, system account remove). Adversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as Data Destruction and Defacement, in order to impede incident response/recovery before completing the Data Encrypted for Impact objective.

LinuxmacOSWindowsSaaSIaaSOffice SuiteESXi

Actors Using This

14
north_koreaAndariel
unknown_likely_russia_alignedAnubis Ransomware
north_koreaAPT38
brazilBizarro
unknown_likely_russia_aligned_eldorado_lineageBlackLock Ransomware
commercial_cybercrime_uefi_bootkitBlackLotus
unknown_likely_russia_alignedBrain Cipher
unknown_likely_russia_aligned_alphv_lineageCicada3301
iranCotton Sandstorm
unknown_likely_russia_alignedEldorado Ransomware
unknown_likely_russia_alignedFog Ransomware
state_actor_dragos_tracked_cis_central_asia_espionage_focus_2023_disclosedGANANITE
unknown_likely_russia_alignedInterlock Ransomware
predominantly_english_speaking_youth_organized_crimeLAPSUS$

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
resource-development earlier
T1588.006 · Vulnerabilities ×2.64
execution earlier
T1569.002 · Service Execution ×4.01T1047 · Windows Management Instrumentation ×2.36
persistence earlier
T1136 · Create Account ×3.01
credential-access earlier
T1003.003 · NTDS ×4.28
discovery earlier
T1049 · System Network Connections Discovery ×3.11
command-and-control earlier
T1219 · Remote Access Tools ×5.06T1572 · Protocol Tunneling ×3.31
exfiltration earlier
T1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ×3.11
impact same
T1491 · Defacement ×3.03T1489 · Service Stop ×2.59T1490 · Inhibit System Recovery ×2.29
other same
T1562.002 · Disable Windows Event Logging ×7.35T1562.009 · Safe Mode Boot ×2.83T1070.001 · Clear Windows Event Logs ×2.33

Atomic Tests

8
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
command_promptelevatedwindowsChange User Password - Windows
Changes the user password to hinder access attempts. Seen in use by LockerGoga. Upon execution, log into the user account "AtomicAdministrator" with the password "HuHuHUHoHo283283". 
net user #{user_account} #{new_user_password} /add
net.exe user #{user_account} #{new_password}
command_promptelevatedwindowsDelete User - Windows
Deletes a user account to prevent access. Upon execution, run the command "net user" to verify that the new "AtomicUser" account was deleted. 
net user #{user_account} #{new_user_password} /add
net.exe user #{user_account} /delete
powershellwindowsRemove Account From Domain Admin Group
This test will remove an account from the domain admins group 
$PWord = ConvertTo-SecureString -String #{super_pass} -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{super_user}, $PWord
if((Get-ADUser #{remove_user} -Properties memberof).memberof -like "CN=Domain Admins*"){
  Remove-ADGroupMember -Identity "Domain Admins" -Members #{remove_user} -Credential $Credential -Confirm:$False
} else{
    write-host "Error - Make sure #{remove_user} is in the domain admins group" -foregroundcolor Red
}
shelevatedmacos, linuxChange User Password via passwd
This test changes the user password to hinder access to the account using passwd utility. 
passwd #{user_account} #enter admin password > enter new password > confirm new password
shelevatedmacosDelete User via dscl utility
This test deletes the user account using the dscl utility. 
dscl . -delete /Users/#{user_account} #enter admin password
shelevatedmacosDelete User via sysadminctl utility
This test deletes the user account using the sysadminctl utility. 
sysadminctl -deleteUser #{user_account} #enter admin password
powershellazure-adAzure AD - Delete user via Azure AD PowerShell
Deletes a user in Azure AD. Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (excluding changed credentials) to remove access to accounts.
Connect-AzureAD
$userprincipalname = "#{userprincipalname}"
Remove-AzureADUser -ObjectId $userprincipalname
powershellazure-adAzure AD - Delete user via Azure CLI
Deletes a user in Azure AD. Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (excluding changed credentials) to remove access to accounts.
az login
$userprincipalname = "#{userprincipalname}"
az ad user delete --id $userprincipalname

Detection Coverage

1/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 9
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Comply & Defend

D3FEND7 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin