T1531

Account Access Removal

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (changed credentials, revoked permissions) to remove access. In Windows, the Net utility, Set-LocalUser, and Set-ADAccountPassword PowerShell cmdlets may be used to modify user accounts. In Linux, the passwd utility may be used to change passwords. Ransomware families such as LockerGoga, MegaCortex, and Akira use this technique to impede incident response before completing their encryption objective. LAPSUS$ has removed global admin accounts to lock organizations out of all access.

Microsoft Sentinel / Defender

kusto

let SuspiciousAccountOps = dynamic(["net user", "net.exe user", "Set-LocalUser", "Set-ADAccountPassword", "Disable-ADAccount", "Remove-ADUser", "Remove-LocalUser"]);
// Branch 1: Security Event Log — account deletion, password reset, account disable
let SecurityEventAlerts = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID in (4723, 4724, 4725, 4726, 4740)
| extend ActionType = case(
    EventID == 4723, "PasswordChangeAttempt",
    EventID == 4724, "PasswordResetAttempt",
    EventID == 4725, "AccountDisabled",
    EventID == 4726, "AccountDeleted",
    EventID == 4740, "AccountLockedOut",
    "Unknown"
)
| extend RiskScore = case(
    EventID == 4726, 90,
    EventID == 4725, 70,
    EventID == 4724, 60,
    EventID == 4723, 40,
    EventID == 4740, 30,
    10
)
| project TimeGenerated, Computer, SubjectUserName, SubjectDomainName, TargetUserName, TargetDomainName, EventID, ActionType, RiskScore, Activity
| where TargetUserName !endswith "$"
| sort by TimeGenerated desc;
// Branch 2: Process events — command-line based account manipulation
let ProcessAlerts = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (SuspiciousAccountOps)
| extend IsNetUserDelete = ProcessCommandLine has "net user" and (ProcessCommandLine has "/delete" or ProcessCommandLine has "/del")
| extend IsNetUserPasswordChange = ProcessCommandLine has "net user" and not (ProcessCommandLine has "/delete" or ProcessCommandLine has "/del" or ProcessCommandLine has "/domain" or ProcessCommandLine has "/add")
| extend IsPowerShellAccountMod = ProcessCommandLine has_any ("Set-LocalUser", "Set-ADAccountPassword", "Disable-ADAccount", "Remove-ADUser", "Remove-LocalUser")
| extend IsLinuxPasswd = FileName =~ "passwd" and ProcessCommandLine !has "--status"
| extend RiskScore = case(
    IsNetUserDelete, 90,
    IsPowerShellAccountMod, 75,
    IsNetUserPasswordChange, 65,
    IsLinuxPasswd, 50,
    40
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, IsNetUserDelete, IsNetUserPasswordChange, IsPowerShellAccountMod, RiskScore
| sort by Timestamp desc;
// Branch 3: Bulk account operations — high risk signal
let BulkAccountOps = SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID in (4725, 4726)
| summarize OperationCount = count(), AffectedAccounts = make_set(TargetUserName), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Computer, SubjectUserName
| where OperationCount >= 3
| extend AlertType = "BulkAccountRemoval", RiskScore = 100;
SecurityEventAlerts
| union (ProcessAlerts | project TimeGenerated=Timestamp, Computer=DeviceName, SubjectUserName=AccountName, SubjectDomainName="", TargetUserName="", TargetDomainName="", EventID=0, ActionType="ProcessBasedAccountOp", RiskScore, Activity=ProcessCommandLine)
| union (BulkAccountOps | project TimeGenerated=FirstSeen, Computer, SubjectUserName, SubjectDomainName="", TargetUserName=tostring(AffectedAccounts), TargetDomainName="", EventID=0, ActionType=AlertType, RiskScore, Activity=tostring(OperationCount))
| sort by RiskScore desc, TimeGenerated desc

high severity high confidence

Data Sources

User Account: User Account Deletion User Account: User Account Modification User Account: User Account Authentication Process: Process Creation Command: Command Execution Windows Security Event Log Microsoft Defender for Endpoint

Required Tables

SecurityEvent DeviceProcessEvents

False Positives

IT help desk staff routinely resetting user passwords (Event ID 4724) during service desk ticket resolution — correlate with ticketing system activity
Automated account provisioning/deprovisioning via IAM tools (SailPoint, CyberArk, BeyondTrust) generating bulk account disable/delete events during employee offboarding cycles
Active Directory cleanup scripts run by domain admins to remove stale or orphaned computer and service accounts
Password policy enforcement tools forcing password resets at expiry, generating high volumes of 4723/4724 events
Security testing or red team exercises simulating ransomware precursor behavior in lab environments

Splunk

spl

| union
[
search index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4723 OR EventCode=4724 OR EventCode=4725 OR EventCode=4726 OR EventCode=4740)
| eval ActionType=case(
    EventCode==4723, "PasswordChangeAttempt",
    EventCode==4724, "PasswordResetAttempt",
    EventCode==4725, "AccountDisabled",
    EventCode==4726, "AccountDeleted",
    EventCode==4740, "AccountLockedOut",
    true(), "Unknown"
)
| eval RiskScore=case(
    EventCode==4726, 90,
    EventCode==4725, 70,
    EventCode==4724, 60,
    EventCode==4723, 40,
    EventCode==4740, 30,
    true(), 10
)
| where NOT match(TargetUserName, "\$$")
| eval Source="SecurityEventLog"
| table _time, host, SubjectUserName, SubjectDomainName, TargetUserName, TargetDomainName, EventCode, ActionType, RiskScore, Source
]
[
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (CommandLine="*net user*" OR CommandLine="*Set-LocalUser*" OR CommandLine="*Set-ADAccountPassword*" OR CommandLine="*Disable-ADAccount*" OR CommandLine="*Remove-ADUser*" OR CommandLine="*Remove-LocalUser*" OR CommandLine="*userdel*" OR CommandLine="*usermod -L*" OR CommandLine="*passwd *")
| eval cmdline_lower=lower(CommandLine)
| eval IsNetUserDelete=if(match(cmdline_lower, "net\s+user.*/del"), 1, 0)
| eval IsNetUserPasswordChange=if(match(cmdline_lower, "net\s+user\s+\S+\s+\S+") AND NOT match(cmdline_lower, "/delete|/add|/domain"), 1, 0)
| eval IsPSAccountMod=if(match(cmdline_lower, "(set-localuser|set-adaccountpassword|disable-adaccount|remove-aduser|remove-localuser)"), 1, 0)
| eval IsLinuxAccountMod=if(match(cmdline_lower, "(userdel|usermod\s+-l|passwd\s+\S+)"), 1, 0)
| eval RiskScore=case(
    IsNetUserDelete==1, 90,
    IsPSAccountMod==1, 75,
    IsNetUserPasswordChange==1, 65,
    IsLinuxAccountMod==1, 50,
    true(), 40
)
| eval ActionType="ProcessBasedAccountOp"
| eval Source="ProcessCreation"
| table _time, host, User as SubjectUserName, CommandLine as TargetUserName, ParentImage as TargetDomainName, EventCode, ActionType, RiskScore, Source
]
| sort - RiskScore, - _time
| eval DetectionNote=case(
    RiskScore>=90, "CRITICAL: Account deletion or high-confidence manipulation",
    RiskScore>=70, "HIGH: Account disabled or PowerShell account modification",
    RiskScore>=50, "MEDIUM: Password reset or Linux account modification",
    true(), "LOW: Password change attempt or lockout"
)
| table _time, host, SubjectUserName, TargetUserName, EventCode, ActionType, RiskScore, DetectionNote, Source

high severity high confidence

Data Sources

User Account: User Account Deletion User Account: User Account Modification Process: Process Creation Command: Command Execution Windows Security Event Log Sysmon Event ID 1

Required Sourcetypes

WinEventLog:Security XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT help desk staff resetting user passwords via automated ticketing integrations generating frequent 4724 events
Automated user lifecycle management tools performing bulk account disables during quarterly access reviews
Domain admin scripts cleaning up stale computer accounts or expired service principals during maintenance windows
Security orchestration tools (SOAR) automatically disabling accounts in response to detected threats — ensure playbook-driven disablement is excluded via SubjectUserName allowlist
Linux configuration management tools (Ansible, Chef) running passwd or usermod as part of system hardening playbooks

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  LOGSOURCETYPENAME(devicetype) AS SourceType,
  username AS SubjectUser,
  QIDNAME(qid) AS EventName,
  CASE
    WHEN "EventID" = '4726' THEN 'AccountDeleted'
    WHEN "EventID" = '4725' THEN 'AccountDisabled'
    WHEN "EventID" = '4724' THEN 'PasswordResetAttempt'
    WHEN "EventID" = '4723' THEN 'PasswordChangeAttempt'
    WHEN "EventID" = '4740' THEN 'AccountLockedOut'
    ELSE 'ProcessBasedAccountOp'
  END AS ActionType,
  CASE
    WHEN "EventID" = '4726' THEN 90
    WHEN "EventID" = '4725' THEN 70
    WHEN "EventID" = '4724' THEN 60
    WHEN "EventID" = '4723' THEN 40
    WHEN "EventID" = '4740' THEN 30
    ELSE 40
  END AS RiskScore,
  magnitude
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13)
  AND (
    (
      "EventID" IN ('4723', '4724', '4725', '4726', '4740')
      AND username NOT LIKE '%$'
    )
    OR
    (
      "EventID" = '1'
      AND (
        LOWER("CommandLine") LIKE '%net user%/del%'
        OR LOWER("CommandLine") LIKE '%set-localuser%'
        OR LOWER("CommandLine") LIKE '%set-adaccountpassword%'
        OR LOWER("CommandLine") LIKE '%disable-adaccount%'
        OR LOWER("CommandLine") LIKE '%remove-aduser%'
        OR LOWER("CommandLine") LIKE '%remove-localuser%'
        OR LOWER("CommandLine") LIKE '%userdel %'
        OR LOWER("CommandLine") LIKE '%usermod -l%'
      )
    )
  )
  AND starttime > NOW() - 86400000
ORDER BY RiskScore DESC, starttime DESC

high severity medium confidence

Data Sources

IBM QRadar Windows Security Event Log DSM (LOGSOURCETYPEID 12) IBM QRadar Sysmon DSM via WinCollect or Universal DSM (LOGSOURCETYPEID 13)

Required Tables

events

False Positives

Authorized IT helpdesk personnel using net user, ADUC, or PowerShell AD cmdlets to perform documented offboarding — consider adding an allowlist of known IT admin usernames in the username NOT IN ('svc-idm', 'helpdesk-admin') clause
LOGSOURCETYPEID values 12 and 13 may differ in non-standard QRadar deployments — validate with: SELECT LOGSOURCETYPENAME(devicetype), devicetype FROM events WHERE "EventID" IN ('4726','4725') LIMIT 10 and update accordingly
HR system integrations using Azure AD Connect or Okta provisioning that propagate account state changes during organizational restructuring will generate bursts of 4725/4726 events — correlate with change management windows to distinguish authorized bulk operations

Sumo Logic CSE

sql

(_sourceCategory=windows/security OR _sourceCategory=windows/sysmon OR _sourceCategory=linux/secure)
| where (EventID in ("4723", "4724", "4725", "4726", "4740") and !matches(TargetUserName, ".*\\$"))
   or (EventID = "1" and (
     matches(CommandLine, "(?i).*net[\\s]+user[\\s\\S]+\/del.*")
     or matches(CommandLine, "(?i).*Set-LocalUser.*")
     or matches(CommandLine, "(?i).*Set-ADAccountPassword.*")
     or matches(CommandLine, "(?i).*Disable-ADAccount.*")
     or matches(CommandLine, "(?i).*Remove-ADUser.*")
     or matches(CommandLine, "(?i).*Remove-LocalUser.*")
     or matches(CommandLine, "(?i).*userdel[\\s]+.*")
     or matches(CommandLine, "(?i).*usermod[\\s]+-L.*")
   ))
| eval RiskScore = if(EventID = "4726", 90,
    if(matches(CommandLine, "(?i).*(net[\\s]+user.+\/del).*"), 90,
    if(matches(CommandLine, "(?i).*(Set-LocalUser|Set-ADAccountPassword|Disable-ADAccount|Remove-ADUser|Remove-LocalUser).*"), 75,
    if(EventID = "4725", 70,
    if(EventID = "4724", 60,
    if(matches(CommandLine, "(?i).*(userdel|usermod[\\s]+-L).*"), 50,
    if(EventID = "4723", 40,
    if(EventID = "4740", 30, 40))))))))
| eval ActionType = if(EventID = "4726", "AccountDeleted",
    if(EventID = "4725", "AccountDisabled",
    if(EventID = "4724", "PasswordResetAttempt",
    if(EventID = "4723", "PasswordChangeAttempt",
    if(EventID = "4740", "AccountLockedOut", "ProcessBasedAccountOp")))))
| eval DetectionNote = if(RiskScore >= 90, "CRITICAL: Account deletion or net user /delete",
    if(RiskScore >= 70, "HIGH: Account disabled or PowerShell AD cmdlet",
    if(RiskScore >= 50, "MEDIUM: Password reset or Linux account modification",
    "LOW: Password change attempt or lockout")))
| sort by RiskScore desc, _messageTime desc
| fields _messageTime, Computer, SubjectUserName, TargetUserName, EventID, ActionType, RiskScore, DetectionNote, CommandLine

high severity high confidence

Data Sources

Sumo Logic Windows Source (Security Event Log) Sumo Logic Windows Source (Sysmon via Winlogbeat or Installed Collector) Sumo Logic Linux Source (/var/log/secure or /var/log/auth.log)

Required Tables

Sumo Logic search index (sourceCategory-routed — no fixed table names)

False Positives

Identity governance platforms (SailPoint, Saviynt, CyberArk) executing automated access review remediations that generate bursts of account disable or delete events — correlate EventID 4726/4725 clusters with change management records to distinguish authorized batch offboarding
IT service desk personnel performing documented offboarding with active ticketing system entries — build a Sumo Logic lookup table of approved admin SubjectUserName values and suppress matches from that set
_sourceCategory paths for windows/security, windows/sysmon, and linux/secure vary by deployment — validate with: * | count by _sourceCategory and update the initial source filter to match your environment's actual category taxonomy

Google Chronicle / SecOps

yaral

rule t1531_account_access_removal {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1531 Account Access Removal via account deletion, disabling, lockout, or credential manipulation. Ransomware families LockerGoga, MegaCortex, and Akira use this technique to impede IR before encryption. LAPSUS$ removed global admin accounts to lock organizations out entirely."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1531"
    false_positives = "Authorized IT account lifecycle management, deprovisioning automation, PAM credential rotation"
    version = "1.0"

  events:
    (
      $e.metadata.event_type = "USER_DELETION" or
      $e.metadata.event_type = "USER_ACCOUNT_DISABLED" or
      $e.metadata.event_type = "USER_CHANGE_PASSWORD" or
      $e.metadata.event_type = "USER_ACCOUNT_LOCKED" or
      (
        $e.metadata.event_type = "PROCESS_LAUNCH" and
        re.regex(
          $e.target.process.command_line,
          `(?i)(net[\s]+user[\s\S]+/del|Set-LocalUser|Set-ADAccountPassword|Disable-ADAccount|Remove-ADUser|Remove-LocalUser|userdel[\s]+|usermod[\s]+-L)`
        )
      )
    )
    not re.regex($e.target.user.userid, `.*\$`)

  outcome:
    $risk_score = max(
      if($e.metadata.event_type = "USER_DELETION", 90,
      if($e.metadata.event_type = "USER_ACCOUNT_DISABLED", 70,
      if($e.metadata.event_type = "USER_CHANGE_PASSWORD", 60,
      if($e.metadata.event_type = "USER_ACCOUNT_LOCKED", 30, 40))))
    )
    $host = $e.principal.hostname
    $actor = $e.principal.user.userid
    $target_user = $e.target.user.userid
    $event_type = $e.metadata.event_type
    $command = $e.target.process.command_line

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM (Windows Security Event Log via Chronicle forwarder or Bindplane) Chronicle Endpoint telemetry (CrowdStrike Falcon, Microsoft Defender, Carbon Black) Chronicle Linux syslog / auditd ingestion

Required Tables

UDM events normalized to USER_DELETION, USER_ACCOUNT_DISABLED, USER_CHANGE_PASSWORD, USER_ACCOUNT_LOCKED, PROCESS_LAUNCH

False Positives

Authorized Active Directory lifecycle automation via PowerShell DSC, Azure AD Connect sync, or HR system integrations (Workday, BambooHR) that propagate account state changes — these generate USER_ACCOUNT_DISABLED events at scale during organizational changes and may require principal.application filtering
Chronicle UDM normalization may map routine end-user self-service password changes through identity providers (Okta, Azure AD SSPR) to USER_CHANGE_PASSWORD — consider adding not $e.principal.application = "SelfServicePasswordReset" to reduce noise
Privileged access management platforms (CyberArk, BeyondTrust) performing scheduled credential rotation for service accounts will generate USER_CHANGE_PASSWORD events — correlate $host against a Chronicle reference list of known PAM server hostnames to suppress

CrowdStrike LogScale (CQL)

cql

(#event_simpleName = "UserAccountDeleted"
  OR #event_simpleName = "UserAccountDisabled"
  OR #event_simpleName = "UserAccountPasswordChanged"
  OR #event_simpleName = "UserAccountLockout"
  OR (#event_simpleName = "ProcessRollup2"
      AND CommandLine = /(?i)(net\s+user\s+\S+\s+\/del|Set-LocalUser|Set-ADAccountPassword|Disable-ADAccount|Remove-ADUser|Remove-LocalUser|userdel\s+|usermod\s+-L)/)
)
| RiskScore := case{
    #event_simpleName = "UserAccountDeleted", 90;
    CommandLine = /(?i)net\s+user.*\/del/, 90;
    CommandLine = /(?i)(Set-LocalUser|Set-ADAccountPassword|Disable-ADAccount|Remove-ADUser|Remove-LocalUser)/, 75;
    #event_simpleName = "UserAccountDisabled", 70;
    #event_simpleName = "UserAccountPasswordChanged", 60;
    CommandLine = /(?i)(userdel\s|usermod\s+-L)/, 50;
    #event_simpleName = "UserAccountLockout", 30;
    *, 40
  }
| ActionType := case{
    #event_simpleName = "UserAccountDeleted", "AccountDeleted";
    #event_simpleName = "UserAccountDisabled", "AccountDisabled";
    #event_simpleName = "UserAccountPasswordChanged", "PasswordChanged";
    #event_simpleName = "UserAccountLockout", "AccountLockedOut";
    *, "ProcessBasedAccountOp"
  }
| sort(field=RiskScore, order=desc, limit=500)
| select([timestamp, ComputerName, UserName, TargetUserName, CommandLine, #event_simpleName, ActionType, RiskScore])

high severity medium confidence

Data Sources

CrowdStrike Falcon EDR sensor endpoint telemetry Falcon Platform user account activity events

Required Tables

ProcessRollup2 UserAccountDeleted UserAccountDisabled UserAccountPasswordChanged UserAccountLockout

False Positives

CrowdStrike Falcon UserAccountDeleted and UserAccountDisabled events may fire for machine and computer accounts during Active Directory cleanup operations — append | TargetUserName != /.*\$/ to exclude computer accounts (trailing dollar sign) if high-volume false positives are observed
Automated IT operations using PowerShell remoting, SCCM, or Intune that invoke Disable-ADAccount or Set-ADAccountPassword for routine service account rotation will generate ProcessRollup2 matches — enrich with ParentBaseFileName to identify known management tool parent processes and build a suppression list
PAM solutions (CyberArk, Delinea) managing privileged credential vaults generate UserAccountPasswordChanged events on rotation schedules — correlate ComputerName against a reference list of known PAM server hostnames to suppress expected rotation activity

Last updated: 2026-04-20 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1531 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Account Access Removal

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Impact

Popular Detections