Account Access Removal T1531
Tactic: Impact
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials, revoked permissions for SaaS platforms such as Sharepoint) to remove access to accounts. Adversaries may also subsequently log off and/or perform a System Shutdown/Reboot to set malicious changes into place.
Events covered
8 catalog events are tagged with this technique by at least one rule.
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
| Security-Auditing | Event ID 4624 | An account was successfully logged on. |
| Security-Auditing | Event ID 4634 | An account was logged off. |
| Security-Auditing | Event ID 4647 | User initiated logoff. |
| Security-Auditing | Event ID 4688 | A new process has been created. |
| Security-Auditing | Event ID 4724 | An attempt was made to reset an account's password. |
| PowerShell | Event ID 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
| Sysmon-for-Linux | Event ID 1 | Process Create |
Authoring guide
Patterns shared across the 62 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (71 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (150 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (28 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 10 rules
- AWS ElastiCache Security Group Modified or Deleted
- AWS SAML Provider Deletion Activity
- Azure Kubernetes Service Account Modified or Deleted
- Google Cloud Service Account Disabled or Deleted
- Group Has Been Deleted Via Groupdel
- IAM Login Profile Deleted
- Okta User Account Locked Out
- Remove Account From Domain Admin Group
- User Has Been Deleted Via Userdel
- User Logoff Event
Elastic 15 rules
- Account Password Reset Remotely
- Attempt to Revoke Okta API Token
- AWS IAM Deactivation of MFA Device
- AWS IAM Group Deletion
- GCP IAM Role Deletion
- GCP IAM Service Account Key Deletion
- GCP Service Account Deletion
- GCP Service Account Disabled
- GitHub PAT Access Revoked
- GitHub User Blocked From Organization
- Google Workspace Admin Role Deletion
- Google Workspace MFA Enforcement Disabled
- Linux User or Group Deletion
- Member Removed From GitHub Organization
- SSH Authorized Keys File Deletion
Splunk 8 rules
- Account Password Changed from Command Line - Windows (PowerShell)
- Account Password Changed from Command Line - Windows (Windows Event Log)
- Cisco ASA - User Account Deleted From Local Database
- Windows Account Access Removal via Logoff Exec
- Windows Excessive Usage Of Net App
- Windows Powershell Logoff User via Quser
- Windows User Deletion Via Net
- Windows User Disabled Via Net
Kusto 13 rules
- BTP - Build Work Zone unauthorized access and role tampering
- BTP - Mass user deletion in a sub account
- BTP - Mass user deletion in SAP Cloud Identity Service
- Cisco Duo - Admin user deleted
- Cisco Duo - Multiple users deleted
- Jira - Permission scheme updated
- Jira - Project roles changed
- Jira - User removed from group
- Jira - User removed from project
- Multiple admin membership removals from newly created admin.
- Threat Essentials - Multiple admin membership removals from newly created admin.
- Valimail Enforce - High-Value User Management Event
- Valimail Enforce - Unusual Rate of Configuration Changes or User Additions
YARA-L 1 rule
Panther 15 rules
- Anthropic Organization User Deleted
- AppOmni Alert Passthrough
- AWS RDS Instance or Cluster Deleted
- Crowdstrike Allowlist Removed
- Crowdstrike API Key Deleted
- Databricks Group Deleted
- Databricks User Account Deleted
- OneLogin Multiple Accounts Deleted
- OneLogin Multiple Accounts Modified
- Slack Organization Deleted
- Slack Primary Owner Transferred
- Slack User Privileges Changed to User
- Wiz Revoke User Sessions
- Zendesk User Suspension Status Changed
- ZIA Account Access Removed