detection.wiki

ATT&CK coverage › Technique

Account Access Removal T1531

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials, revoked permissions for SaaS platforms such as Sharepoint) to remove access to accounts. Adversaries may also subsequently log off and/or perform a System Shutdown/Reboot to set malicious changes into place.

Events covered

6 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4624An account was successfully logged on.
Security-Auditing4634An account was logged off.
Security-Auditing4647User initiated logoff.
Security-Auditing4724An attempt was made to reset an account's password.
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 5 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (10 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
ScriptBlockText2match 1, eq 1-Members , -Identity , Remove-ADGroupMember, "*quser*logoff*"
EventType1eq 1reset-password, logged-in
user1match 1SVC, DMZ, service
TargetSid1wildcard 1S-1-5-21-*-500, S-1-12-1-*-500
event.outcome1eq 1success
source.ip1ne 1127.0.0.1, ::1
LogonType1eq 1Network
parent_process_name1in 1"cmd.exe", "pwsh.exe", "powershell.exe"
process_name1eq 1logoff.exe
EventID1eq 14104

Top indicator values (24 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
TargetSidwildcardS-1-5-21-*-5001
EventTypeeqlogged-in17
LogonTypeeqNetwork14
event.outcomeeqsuccess18
usermatchservice1
TargetSidwildcardS-1-12-1-*-5001
usermatchDMZ1
usermatchsuper1
usermatchADM1
source.ipne::117
EventTypeeqreset-password1
usermatchSVC1
usermatchAdmin1
source.ipne127.0.0.118
usermatchDC01
ScriptBlockTextmatchRemove-ADGroupMember1
ScriptBlockTextmatch-Identity 1
ScriptBlockTextmatch-Members 1
process_nameeqlogoff.exe1
parent_process_namein"powershell.exe"12

Common exclusions (5 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

FieldKindValueRules excluding
userwildcardPIM_*1
userwildcard*$1
userwildcardsvc*1
userwildcard_*_1
userwildcard*-*-*1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 2 rules

Elastic 1 rule

Splunk 2 rules