EXPLORE
Sign In
← Back to Explore
T1531

Account Access Removal

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials, revoked permissions for SaaS platforms such as Sharepoint) to remove access to accounts.(Citation: Obsidian Security SaaS Ransomware June 2023) Adversaries may also subsequently log off and/or perform a [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to set malicious chan...

LinuxmacOSWindowsSaaSIaaSOffice SuiteESXi
27
Detections
3
Sources
2
Threat Actors

BY SOURCE

12elastic9sigma6splunk_escu

PROCEDURES (16)

General Monitoring4 detections

Auto-extracted: 4 detections for general monitoring

Service2 detections

Auto-extracted: 2 detections for service

Api2 detections

Auto-extracted: 2 detections for api

Authentication Monitoring2 detections

Auto-extracted: 2 detections for authentication monitoring

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Credential2 detections

Auto-extracted: 2 detections for credential

Service1 detections

Auto-extracted: 1 detections for service

Privilege1 detections

Auto-extracted: 1 detections for privilege

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Aws1 detections

Auto-extracted: 1 detections for aws

Aws1 detections

Auto-extracted: 1 detections for aws

Api1 detections

Auto-extracted: 1 detections for api

Cloud1 detections

Auto-extracted: 1 detections for cloud

Service1 detections

Auto-extracted: 1 detections for service

Api1 detections

Auto-extracted: 1 detections for api

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

THREAT ACTORS (2)

AkiraLAPSUS$

DETECTIONS (27)

Account Password Reset Remotely
elasticmedium
Attempt to Revoke Okta API Token
elasticlow
AWS ElastiCache Security Group Modified or Deleted
sigmalow
AWS IAM Deactivation of MFA Device
elasticmedium
AWS IAM Group Deletion
elasticlow
AWS SAML Provider Deletion Activity
sigmamedium
Azure Kubernetes Service Account Modified or Deleted
sigmamedium
Cisco ASA - User Account Deleted From Local Database
splunk_escu
GCP IAM Role Deletion
elasticlow
GCP IAM Service Account Key Deletion
elasticlow
GCP Service Account Deletion
elasticmedium
GCP Service Account Disabled
elasticmedium
Google Cloud Service Account Disabled or Deleted
sigmamedium
Google Workspace Admin Role Deletion
elasticmedium
Google Workspace MFA Enforcement Disabled
elasticmedium
Group Has Been Deleted Via Groupdel
sigmamedium
Linux User or Group Deletion
elasticlow
Okta User Account Locked Out
sigmamedium
Remove Account From Domain Admin Group
sigmamedium
SSH Authorized Keys File Deletion
elasticlow
User Has Been Deleted Via Userdel
sigmamedium
User Logoff Event
sigmainformational
Windows Account Access Removal via Logoff Exec
splunk_escu
Windows Excessive Usage Of Net App
splunk_escu
Windows Powershell Logoff User via Quser
splunk_escu
Windows User Deletion Via Net
splunk_escu
Windows User Disabled Via Net
splunk_escu