T1531: Account Access Removal
| View on MITRE ATT&CK | T1531 |
|---|---|
| Tactic(s) | Impact |
| Associated CAPEC Patterns | Inducing Account Lockout (CAPEC-2) |
Data from MITRE ATT&CK®:
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. Adversaries may also subsequently log off and/or perform a System Shutdown/Reboot to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)
In Windows, Net utility, Set-LocalUser and Set-ADAccountPassword PowerShell cmdlets may be used by adversaries to modify user accounts. In Linux, the passwd utility may be used to change passwords. Accounts could also be disabled by Group Policy.
Adversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as Data Destruction and Defacement, in order to impede incident response/recovery before completing the Data Encrypted for Impact objective.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect
This blog post by researchers at Mandiant describes how the threat actor UNC5174 exploited vulnerabilities in F5 BIG-IP appliances and Connectwise ...
How to detect this technique
MITRE ATT&CK Data Components
User Account Modification (User Account)
Changes made to an account, such as permissions and/or membership in specific groups (ex: Windows EID 4738 or /var/log access/authentication logs)Active Directory Object Modification (Active Directory)
Changes made to an active directory object (ex: Windows EID 5163 or 5136)User Account Deletion (User Account)
Removal of an account (ex: Windows EID 4726 or /var/log access/authentication logs)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.