Detect Account Access Removal in Microsoft Sentinel
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (changed credentials, revoked permissions) to remove access. In Windows, the Net utility, Set-LocalUser, and Set-ADAccountPassword PowerShell cmdlets may be used to modify user accounts. In Linux, the passwd utility may be used to change passwords. Ransomware families such as LockerGoga, MegaCortex, and Akira use this technique to impede incident response before completing their encryption objective. LAPSUS$ has removed global admin accounts to lock organizations out of all access.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1531 Account Access Removal
- Canonical reference
- https://attack.mitre.org/techniques/T1531/
KQL Detection Query
let SuspiciousAccountOps = dynamic(["net user", "net.exe user", "Set-LocalUser", "Set-ADAccountPassword", "Disable-ADAccount", "Remove-ADUser", "Remove-LocalUser"]);
// Branch 1: Security Event Log — account deletion, password reset, account disable
let SecurityEventAlerts = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID in (4723, 4724, 4725, 4726, 4740)
| extend ActionType = case(
EventID == 4723, "PasswordChangeAttempt",
EventID == 4724, "PasswordResetAttempt",
EventID == 4725, "AccountDisabled",
EventID == 4726, "AccountDeleted",
EventID == 4740, "AccountLockedOut",
"Unknown"
)
| extend RiskScore = case(
EventID == 4726, 90,
EventID == 4725, 70,
EventID == 4724, 60,
EventID == 4723, 40,
EventID == 4740, 30,
10
)
| project TimeGenerated, Computer, SubjectUserName, SubjectDomainName, TargetUserName, TargetDomainName, EventID, ActionType, RiskScore, Activity
| where TargetUserName !endswith "$"
| sort by TimeGenerated desc;
// Branch 2: Process events — command-line based account manipulation
let ProcessAlerts = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (SuspiciousAccountOps)
| extend IsNetUserDelete = ProcessCommandLine has "net user" and (ProcessCommandLine has "/delete" or ProcessCommandLine has "/del")
| extend IsNetUserPasswordChange = ProcessCommandLine has "net user" and not (ProcessCommandLine has "/delete" or ProcessCommandLine has "/del" or ProcessCommandLine has "/domain" or ProcessCommandLine has "/add")
| extend IsPowerShellAccountMod = ProcessCommandLine has_any ("Set-LocalUser", "Set-ADAccountPassword", "Disable-ADAccount", "Remove-ADUser", "Remove-LocalUser")
| extend IsLinuxPasswd = FileName =~ "passwd" and ProcessCommandLine !has "--status"
| extend RiskScore = case(
IsNetUserDelete, 90,
IsPowerShellAccountMod, 75,
IsNetUserPasswordChange, 65,
IsLinuxPasswd, 50,
40
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, IsNetUserDelete, IsNetUserPasswordChange, IsPowerShellAccountMod, RiskScore
| sort by Timestamp desc;
// Branch 3: Bulk account operations — high risk signal
let BulkAccountOps = SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID in (4725, 4726)
| summarize OperationCount = count(), AffectedAccounts = make_set(TargetUserName), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Computer, SubjectUserName
| where OperationCount >= 3
| extend AlertType = "BulkAccountRemoval", RiskScore = 100;
SecurityEventAlerts
| union (ProcessAlerts | project TimeGenerated=Timestamp, Computer=DeviceName, SubjectUserName=AccountName, SubjectDomainName="", TargetUserName="", TargetDomainName="", EventID=0, ActionType="ProcessBasedAccountOp", RiskScore, Activity=ProcessCommandLine)
| union (BulkAccountOps | project TimeGenerated=FirstSeen, Computer, SubjectUserName, SubjectDomainName="", TargetUserName=tostring(AffectedAccounts), TargetDomainName="", EventID=0, ActionType=AlertType, RiskScore, Activity=tostring(OperationCount))
| sort by RiskScore desc, TimeGenerated descDetects account access removal across three complementary signals: (1) Windows Security Event Log events 4723/4724/4725/4726/4740 for direct account manipulation activity including password changes, resets, disablement, deletion, and lockout; (2) DeviceProcessEvents for command-line invocations of net user /delete, Set-LocalUser, Set-ADAccountPassword, Remove-ADUser, and similar account manipulation commands; (3) bulk account operations — three or more account disables or deletions within one hour from the same subject user, a strong ransomware precursor indicator. Each event is assigned a risk score based on severity, with bulk operations scoring 100.
Data Sources
Required Tables
False Positives & Tuning
- IT help desk staff routinely resetting user passwords (Event ID 4724) during service desk ticket resolution — correlate with ticketing system activity
- Automated account provisioning/deprovisioning via IAM tools (SailPoint, CyberArk, BeyondTrust) generating bulk account disable/delete events during employee offboarding cycles
- Active Directory cleanup scripts run by domain admins to remove stale or orphaned computer and service accounts
- Password policy enforcement tools forcing password resets at expiry, generating high volumes of 4723/4724 events
- Security testing or red team exercises simulating ransomware precursor behavior in lab environments
Other platforms for T1531
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Delete Local Windows User Account via Net Command
Expected signal: Security Event ID 4726 (A user account was deleted) with SubjectUserName=current admin account and TargetUserName=df00techtest. Sysmon Event ID 1 for net.exe and net1.exe with CommandLine containing 'user df00techtest /delete'. Security Event ID 4720 (account created) for the creation step.
- Test 2Disable Local User Account via PowerShell Set-LocalUser
Expected signal: Security Event ID 4725 (A user account was disabled) with TargetUserName=df00techtest2. Sysmon Event ID 1 for powershell.exe with CommandLine containing 'Set-LocalUser' and '-Enabled $false'. PowerShell ScriptBlock Log Event ID 4104 with the full Set-LocalUser command.
- Test 3Bulk Account Password Change Simulation via Net Command
Expected signal: Security Event ID 4723 (password change attempt) and/or 4724 (password reset) for df00techtest3. Sysmon Event ID 1 for net.exe with CommandLine containing 'user df00techtest3 NewL0ckedP@ssw0rd!'. The password value itself will appear in process creation logs if command line auditing is enabled.
- Test 4Linux Account Lock via passwd -l
Expected signal: Linux auditd records: syscall=execve for useradd and passwd commands with argv showing '-l df00techtest_linux'. Syslog entries in /var/log/auth.log or /var/log/secure: 'passwd: password changed for df00techtest_linux'. If auditd is configured with USER_MGMT rules, generates AUDIT_USER_MGMT events for account modification.
References (9)
- https://attack.mitre.org/techniques/T1531/
- https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/
- https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/
- https://web.archive.org/web/20230608061141/https://www.obsidiansecurity.com/blog/saas-ransomware-observed-sharepoint-microsoft-365/
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4726
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4725
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md
- https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
Unlock Pro Content
Get the full detection package for T1531 including response playbook, investigation guide, and atomic red team tests.