T1531 Splunk · SPL

Detect Account Access Removal in Splunk

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (changed credentials, revoked permissions) to remove access. In Windows, the Net utility, Set-LocalUser, and Set-ADAccountPassword PowerShell cmdlets may be used to modify user accounts. In Linux, the passwd utility may be used to change passwords. Ransomware families such as LockerGoga, MegaCortex, and Akira use this technique to impede incident response before completing their encryption objective. LAPSUS$ has removed global admin accounts to lock organizations out of all access.

MITRE ATT&CK

Tactic
Impact
Technique
T1531 Account Access Removal
Canonical reference
https://attack.mitre.org/techniques/T1531/

SPL Detection Query

Splunk (SPL)
spl 
| union
[
search index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4723 OR EventCode=4724 OR EventCode=4725 OR EventCode=4726 OR EventCode=4740)
| eval ActionType=case(
    EventCode==4723, "PasswordChangeAttempt",
    EventCode==4724, "PasswordResetAttempt",
    EventCode==4725, "AccountDisabled",
    EventCode==4726, "AccountDeleted",
    EventCode==4740, "AccountLockedOut",
    true(), "Unknown"
)
| eval RiskScore=case(
    EventCode==4726, 90,
    EventCode==4725, 70,
    EventCode==4724, 60,
    EventCode==4723, 40,
    EventCode==4740, 30,
    true(), 10
)
| where NOT match(TargetUserName, "\$$")
| eval Source="SecurityEventLog"
| table _time, host, SubjectUserName, SubjectDomainName, TargetUserName, TargetDomainName, EventCode, ActionType, RiskScore, Source
]
[
search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (CommandLine="*net user*" OR CommandLine="*Set-LocalUser*" OR CommandLine="*Set-ADAccountPassword*" OR CommandLine="*Disable-ADAccount*" OR CommandLine="*Remove-ADUser*" OR CommandLine="*Remove-LocalUser*" OR CommandLine="*userdel*" OR CommandLine="*usermod -L*" OR CommandLine="*passwd *")
| eval cmdline_lower=lower(CommandLine)
| eval IsNetUserDelete=if(match(cmdline_lower, "net\s+user.*/del"), 1, 0)
| eval IsNetUserPasswordChange=if(match(cmdline_lower, "net\s+user\s+\S+\s+\S+") AND NOT match(cmdline_lower, "/delete|/add|/domain"), 1, 0)
| eval IsPSAccountMod=if(match(cmdline_lower, "(set-localuser|set-adaccountpassword|disable-adaccount|remove-aduser|remove-localuser)"), 1, 0)
| eval IsLinuxAccountMod=if(match(cmdline_lower, "(userdel|usermod\s+-l|passwd\s+\S+)"), 1, 0)
| eval RiskScore=case(
    IsNetUserDelete==1, 90,
    IsPSAccountMod==1, 75,
    IsNetUserPasswordChange==1, 65,
    IsLinuxAccountMod==1, 50,
    true(), 40
)
| eval ActionType="ProcessBasedAccountOp"
| eval Source="ProcessCreation"
| table _time, host, User as SubjectUserName, CommandLine as TargetUserName, ParentImage as TargetDomainName, EventCode, ActionType, RiskScore, Source
]
| sort - RiskScore, - _time
| eval DetectionNote=case(
    RiskScore>=90, "CRITICAL: Account deletion or high-confidence manipulation",
    RiskScore>=70, "HIGH: Account disabled or PowerShell account modification",
    RiskScore>=50, "MEDIUM: Password reset or Linux account modification",
    true(), "LOW: Password change attempt or lockout"
)
| table _time, host, SubjectUserName, TargetUserName, EventCode, ActionType, RiskScore, DetectionNote, Source
high severity high confidence

Detects account access removal using two search branches unified via SPL union: (1) Windows Security Event Log events 4723/4724/4725/4726/4740 mapped to actionable alert types with risk scores; (2) Sysmon Event ID 1 (Process Create) matching command lines invoking net user /delete, PowerShell account cmdlets (Set-LocalUser, Set-ADAccountPassword, Disable-ADAccount, Remove-ADUser), and Linux account manipulation utilities (userdel, usermod -L, passwd). Each match is scored and tagged with a human-readable DetectionNote for analyst triage. Results are sorted by risk score descending to surface highest-priority events first.

Data Sources

User Account: User Account DeletionUser Account: User Account ModificationProcess: Process CreationCommand: Command ExecutionWindows Security Event LogSysmon Event ID 1

Required Sourcetypes

WinEventLog:SecurityXmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • IT help desk staff resetting user passwords via automated ticketing integrations generating frequent 4724 events
  • Automated user lifecycle management tools performing bulk account disables during quarterly access reviews
  • Domain admin scripts cleaning up stale computer accounts or expired service principals during maintenance windows
  • Security orchestration tools (SOAR) automatically disabling accounts in response to detected threats — ensure playbook-driven disablement is excluded via SubjectUserName allowlist
  • Linux configuration management tools (Ansible, Chef) running passwd or usermod as part of system hardening playbooks
Download portable Sigma rule (.yml)

Other platforms for T1531

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Delete Local Windows User Account via Net Command

    Expected signal: Security Event ID 4726 (A user account was deleted) with SubjectUserName=current admin account and TargetUserName=df00techtest. Sysmon Event ID 1 for net.exe and net1.exe with CommandLine containing 'user df00techtest /delete'. Security Event ID 4720 (account created) for the creation step.

  2. Test 2Disable Local User Account via PowerShell Set-LocalUser

    Expected signal: Security Event ID 4725 (A user account was disabled) with TargetUserName=df00techtest2. Sysmon Event ID 1 for powershell.exe with CommandLine containing 'Set-LocalUser' and '-Enabled $false'. PowerShell ScriptBlock Log Event ID 4104 with the full Set-LocalUser command.

  3. Test 3Bulk Account Password Change Simulation via Net Command

    Expected signal: Security Event ID 4723 (password change attempt) and/or 4724 (password reset) for df00techtest3. Sysmon Event ID 1 for net.exe with CommandLine containing 'user df00techtest3 NewL0ckedP@ssw0rd!'. The password value itself will appear in process creation logs if command line auditing is enabled.

  4. Test 4Linux Account Lock via passwd -l

    Expected signal: Linux auditd records: syscall=execve for useradd and passwd commands with argv showing '-l df00techtest_linux'. Syslog entries in /var/log/auth.log or /var/log/secure: 'passwd: password changed for df00techtest_linux'. If auditd is configured with USER_MGMT rules, generates AUDIT_USER_MGMT events for account modification.

Last updated: 2026-04-20 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1531 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1486Data Encrypted for ImpactT1490Inhibit System RecoveryT1489Service StopT1485Data DestructionT1078Valid AccountsT1078.002Domain AccountsT1078.004Cloud AccountsT1529System Shutdown/RebootT1098Account ManipulationT1136Create Account

Same Tactic: Impact

Popular Detections