title: Account Access Removal (T1531)
id: df00tech-t1531
status: experimental
description: "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (changed credentials, revoked permissions) to remove access. In Windows, the Net utility, Set-LocalUser, and Set-ADAccountPassword PowerShell cmdlets may be used to modify user accounts. In Linux, the passwd utility may be used to change passwords. Ransomware families such as LockerGoga, MegaCortex, and Akira use this technique to impede incident response before completing their encryption objective. LAPSUS$ has removed global admin accounts to lock organizations out of all access."
references:
  - https://attack.mitre.org/techniques/T1531/
  - https://df00tech.com/detections/T1531
author: df00tech
date: 2026/04/20
tags:
  - attack.t1531
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT help desk staff routinely resetting user passwords (Event ID 4724) during service desk ticket resolution — correlate with ticketing system activity
  - "Automated account provisioning/deprovisioning via IAM tools (SailPoint, CyberArk, BeyondTrust) generating bulk account disable/delete events during employee offboarding cycles"
  - Active Directory cleanup scripts run by domain admins to remove stale or orphaned computer and service accounts
  - "Password policy enforcement tools forcing password resets at expiry, generating high volumes of 4723/4724 events"
  - Security testing or red team exercises simulating ransomware precursor behavior in lab environments
level: high