Detect Account Access Removal in IBM QRadar
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (changed credentials, revoked permissions) to remove access. In Windows, the Net utility, Set-LocalUser, and Set-ADAccountPassword PowerShell cmdlets may be used to modify user accounts. In Linux, the passwd utility may be used to change passwords. Ransomware families such as LockerGoga, MegaCortex, and Akira use this technique to impede incident response before completing their encryption objective. LAPSUS$ has removed global admin accounts to lock organizations out of all access.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1531 Account Access Removal
- Canonical reference
- https://attack.mitre.org/techniques/T1531/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
LOGSOURCENAME(logsourceid) AS LogSource,
LOGSOURCETYPENAME(devicetype) AS SourceType,
username AS SubjectUser,
QIDNAME(qid) AS EventName,
CASE
WHEN "EventID" = '4726' THEN 'AccountDeleted'
WHEN "EventID" = '4725' THEN 'AccountDisabled'
WHEN "EventID" = '4724' THEN 'PasswordResetAttempt'
WHEN "EventID" = '4723' THEN 'PasswordChangeAttempt'
WHEN "EventID" = '4740' THEN 'AccountLockedOut'
ELSE 'ProcessBasedAccountOp'
END AS ActionType,
CASE
WHEN "EventID" = '4726' THEN 90
WHEN "EventID" = '4725' THEN 70
WHEN "EventID" = '4724' THEN 60
WHEN "EventID" = '4723' THEN 40
WHEN "EventID" = '4740' THEN 30
ELSE 40
END AS RiskScore,
magnitude
FROM events
WHERE
LOGSOURCETYPEID IN (12, 13)
AND (
(
"EventID" IN ('4723', '4724', '4725', '4726', '4740')
AND username NOT LIKE '%$'
)
OR
(
"EventID" = '1'
AND (
LOWER("CommandLine") LIKE '%net user%/del%'
OR LOWER("CommandLine") LIKE '%set-localuser%'
OR LOWER("CommandLine") LIKE '%set-adaccountpassword%'
OR LOWER("CommandLine") LIKE '%disable-adaccount%'
OR LOWER("CommandLine") LIKE '%remove-aduser%'
OR LOWER("CommandLine") LIKE '%remove-localuser%'
OR LOWER("CommandLine") LIKE '%userdel %'
OR LOWER("CommandLine") LIKE '%usermod -l%'
)
)
)
AND starttime > NOW() - 86400000
ORDER BY RiskScore DESC, starttime DESCIBM QRadar AQL query detecting T1531 Account Access Removal via Windows Security Event Log (LOGSOURCETYPEID 12) account lifecycle events (4723, 4724, 4725, 4726, 4740) and Sysmon Process Creation (LOGSOURCETYPEID 13, EventID 1) command-line patterns matching account manipulation tools. Excludes computer accounts via username trailing $ filter. Risk-scored 90 for account deletion down to 30 for lockout. Searches the past 24 hours. LOWER() normalization on CommandLine ensures case-insensitive PowerShell cmdlet matching.
Data Sources
Required Tables
False Positives & Tuning
- Authorized IT helpdesk personnel using net user, ADUC, or PowerShell AD cmdlets to perform documented offboarding — consider adding an allowlist of known IT admin usernames in the username NOT IN ('svc-idm', 'helpdesk-admin') clause
- LOGSOURCETYPEID values 12 and 13 may differ in non-standard QRadar deployments — validate with: SELECT LOGSOURCETYPENAME(devicetype), devicetype FROM events WHERE "EventID" IN ('4726','4725') LIMIT 10 and update accordingly
- HR system integrations using Azure AD Connect or Okta provisioning that propagate account state changes during organizational restructuring will generate bursts of 4725/4726 events — correlate with change management windows to distinguish authorized bulk operations
Other platforms for T1531
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Delete Local Windows User Account via Net Command
Expected signal: Security Event ID 4726 (A user account was deleted) with SubjectUserName=current admin account and TargetUserName=df00techtest. Sysmon Event ID 1 for net.exe and net1.exe with CommandLine containing 'user df00techtest /delete'. Security Event ID 4720 (account created) for the creation step.
- Test 2Disable Local User Account via PowerShell Set-LocalUser
Expected signal: Security Event ID 4725 (A user account was disabled) with TargetUserName=df00techtest2. Sysmon Event ID 1 for powershell.exe with CommandLine containing 'Set-LocalUser' and '-Enabled $false'. PowerShell ScriptBlock Log Event ID 4104 with the full Set-LocalUser command.
- Test 3Bulk Account Password Change Simulation via Net Command
Expected signal: Security Event ID 4723 (password change attempt) and/or 4724 (password reset) for df00techtest3. Sysmon Event ID 1 for net.exe with CommandLine containing 'user df00techtest3 NewL0ckedP@ssw0rd!'. The password value itself will appear in process creation logs if command line auditing is enabled.
- Test 4Linux Account Lock via passwd -l
Expected signal: Linux auditd records: syscall=execve for useradd and passwd commands with argv showing '-l df00techtest_linux'. Syslog entries in /var/log/auth.log or /var/log/secure: 'passwd: password changed for df00techtest_linux'. If auditd is configured with USER_MGMT rules, generates AUDIT_USER_MGMT events for account modification.
References (9)
- https://attack.mitre.org/techniques/T1531/
- https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/
- https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/
- https://web.archive.org/web/20230608061141/https://www.obsidiansecurity.com/blog/saas-ransomware-observed-sharepoint-microsoft-365/
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4726
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4725
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md
- https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
Unlock Pro Content
Get the full detection package for T1531 including response playbook, investigation guide, and atomic red team tests.