Account Access Removal

Information

• Name: Account Access Removal

• ID: T1531

• Tactics:

Introduction

Account Access Removal (MITRE ATT&CK ID: T1531) refers to adversaries' actions designed to interrupt legitimate user access to systems, accounts, or resources. This tactic is typically employed to maintain persistence, evade detection, hinder incident response, or cause disruption by removing or restricting legitimate user access. Attackers may achieve this through disabling user accounts, deleting credentials, modifying permissions, or manipulating authentication mechanisms to lock out legitimate users.

Deep Dive Into Technique

Account Access Removal can be executed through several technical methods and mechanisms:

• Disabling or Deleting User Accounts:

  • Attackers may disable or delete accounts through operating system commands or administrative tools.

  • Example commands:

    • Windows: net user <username> /active:no or using PowerShell cmdlets like Disable-LocalUser.

    • Linux: passwd -l <username> to lock accounts or userdel <username> to delete accounts.

• Modifying Authentication Credentials:

  • Changing passwords or authentication tokens to prevent legitimate access.

  • Attackers might reset user passwords to unknown values or remove authentication keys from authorized lists.

• Manipulating Permissions and Privileges:

  • Reducing user privileges or altering permissions to restrict access to critical resources.

  • Adjusting group memberships or ACLs (Access Control Lists) to deny legitimate user access.

• Corrupting or Deleting Authentication Logs:

  • Attackers may delete or alter audit logs to conceal unauthorized access and complicate remediation efforts.

• Leveraging Identity and Access Management (IAM) Systems:

  • Manipulating cloud-based IAM policies to remove or restrict user permissions (e.g., AWS IAM, Azure AD).

Real-world procedures include:

• Using remote administration tools (RATs) or command-line interfaces (CLI) to disable accounts remotely.

• Employing scripts or automated tools to systematically remove or disable multiple user accounts simultaneously.

• Leveraging compromised administrator credentials to perform account access removals stealthily.

When this Technique is Usually Used

Account Access Removal is typically employed during several stages of an attack lifecycle and in various scenarios:

• Persistence and Privilege Escalation:

  • Attackers remove or disable legitimate administrator accounts to maintain exclusive administrative control over compromised systems.

• Defense Evasion and Anti-Forensics:

  • Removing user access to impede forensic investigations and incident response activities.

  • Disabling accounts to prevent users from detecting or responding to suspicious activities.

• Impact and Disruption:

  • During ransomware attacks or destructive operations, attackers remove user accounts to maximize disruption.

  • Sabotaging critical infrastructure by disabling operator or administrator access.

• Insider Threat Scenarios:

  • Disgruntled employees or insiders disabling access for other legitimate users or administrators.

• Credential Theft and Lateral Movement:

  • After stealing credentials, attackers disable legitimate accounts to prevent detection and response.

How this Technique is Usually Detected

Detection of Account Access Removal involves monitoring various indicators and employing specific detection methods:

• Monitoring Account Management Events:

  • Windows Event Logs:

    • Event ID 4725: User account disabled.

    • Event ID 4726: User account deleted.

    • Event ID 4738: User account changes (password changes, attribute modifications).

  • Linux System Logs:

    • /var/log/auth.log or /var/log/secure for account management activities and commands like userdel, passwd.

• Audit Logging and SIEM Correlation:

  • Security Information and Event Management (SIEM) systems correlating multiple account-related events to identify suspicious patterns.

  • Creating alert rules for multiple account disable/delete actions within short timeframes.

• Monitoring IAM and Cloud Environments:

  • AWS CloudTrail, Azure AD logs, Google Cloud Audit Logs for IAM policy changes and account disablement.

  • Alerts on unusual IAM policy modifications or sudden removal of user permissions.

• Endpoint Detection and Response (EDR) Tools:

  • EDR solutions detecting suspicious command execution (e.g., net user commands, PowerShell account disablement scripts).

Specific Indicators of Compromise (IoCs):

• Sudden spike in account disablement or deletion events.

• Account management actions performed outside of normal working hours.

• Account management activities from unusual IP addresses or hosts.

• Unusual privilege escalation or modification events preceding account disablement.

Why it is Important to Detect This Technique

Early detection of Account Access Removal is crucial due to its significant potential impacts on organizations:

• Operational Disruption:

  • Loss of access to critical systems, applications, or resources can severely disrupt business operations and productivity.

• Security Compromise and Persistence:

  • Attackers disabling legitimate administrator accounts can gain persistent, exclusive control over compromised systems and networks.

• Incident Response Delays:

  • Removing user access complicates incident response, remediation, and forensic investigation processes, prolonging recovery timelines.

• Data Loss and Theft:

  • Attackers may remove account access to prevent users from detecting data exfiltration activities or unauthorized access to sensitive data.

• Regulatory and Compliance Implications:

  • Failure to detect and respond promptly to account access removal can lead to compliance violations and regulatory penalties.

• Reputation Damage:

  • Prolonged disruptions and compromised security can damage organizational reputation, customer trust, and market position.

Examples

Real-world examples and scenarios demonstrating Account Access Removal:

• NotPetya Ransomware Attack (2017):

  • Attackers leveraged credential theft and privilege escalation, subsequently deleting or disabling administrator accounts to impede recovery and forensics.

  • Tools used: Mimikatz (credential theft), PSExec (lateral movement), and PowerShell scripts for account management.

  • Impact: Massive operational disruption, financial losses estimated in billions of dollars, and prolonged recovery periods.

• APT29 (Cozy Bear) Operations:

  • Attackers disabled or modified user accounts after compromising networks to maintain persistence and evade detection.

  • Techniques involved credential theft, PowerShell scripting, and remote account management.

  • Impact: Persistent espionage operations, prolonged undetected access, and difficulties in incident response.

• Insider Threat Incident (Tesla, 2018):

  • A disgruntled employee disabled legitimate user accounts and modified permissions to sabotage internal operations and steal sensitive data.

  • Methods: Internal administrative access, account disablement via administrative consoles, and permission modifications.

  • Impact: Data theft, operational disruption, and internal investigation costs.

• Cloud Infrastructure Attacks (AWS, Azure):

  • Attackers manipulating IAM policies to remove or restrict legitimate user permissions.

  • Tools used: Compromised cloud admin credentials, AWS CLI, Azure PowerShell modules.

  • Impact: Loss of access to cloud resources, unauthorized resource provisioning, data exfiltration, and increased operational costs.

• Ransomware Attacks (Ryuk, REvil, Conti):

  • Attackers disabling or deleting user accounts to prevent recovery and maximize disruption.

  • Tools and procedures: Credential dumping (Mimikatz), privilege escalation scripts, administrative commands (net user, PowerShell).

  • Impact: Prolonged operational downtime, financial losses, data loss, and increased recovery efforts.