Live Active security incident? Get immediate response
MITRE ATT&CK® Data Component

DC0009: User Account Deletion

The removal of a user, service, or machine account from an operating system, cloud identity management system, or directory service.

EnterpriseDC0009Data ComponentObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

User Account Deletion is evidence that an account for a person, service, or machine was removed from an operating system, cloud identity system, or directory service. For leaders, this matters because account deletion can affect business continuity, incident containment, audit evidence, and identity governance. The key question is not whether deletion is always malicious, but whether the organization can prove who or what deleted an account, when it happened, whether it was authorized, and what dependent services or access paths were affected.

Executive priority

Prioritize this data component as part of identity and access management, incident response readiness, and compliance evidence. Account deletion records help validate offboarding, privileged access governance, service account lifecycle management, and emergency containment actions. They also help executives distinguish normal administrative activity from potentially disruptive or unauthorized identity changes. Because ATT&CK provides no specific detection logic or platform scope for this object, coverage should be assessed locally across the operating systems, cloud identity providers, and directory services the business relies on.

Technical view

SOC, detection engineering, and IR teams should validate that account deletion events are logged consistently for user, service, and machine accounts across relevant identity stores. Useful analysis should preserve the deleted account identifier, account type, deletion time, actor or process responsible, source system, administrative context, and any related change-management or ticket reference where available. Because no ATT&CK tactics, techniques, or relationships are supplied, detections should be environment-driven: focus on unauthorized deletion, deletion by unusual administrators or automation, deletion outside expected workflows, deletion of privileged or service accounts, and deletion patterns that could disrupt authentication or operations.

Likely telemetry

  • Operating system account management logs showing account removal
  • Cloud identity management audit logs for user, service, or machine account deletion
  • Directory service audit logs for account object deletion
  • Administrative activity logs identifying the actor, source, and time of deletion
  • Change-management, IAM, or ticketing records used to validate whether the deletion was authorized

Detection direction

  • Confirm deletion events are actually collected and retained from each authoritative identity source, not only from endpoint or SIEM summaries.
  • Tune alerting around high-risk account classes such as privileged accounts, service accounts, machine accounts, and accounts tied to critical business systems.
  • Correlate deletion events with approved offboarding, lifecycle automation, or incident response actions to reduce false positives.
  • Review deletions performed by new, rarely used, or unexpected administrative identities or automation accounts.
  • Look for deletion activity outside normal administrative windows or inconsistent with established identity governance workflows.

Mitigation priorities

  • Establish clear account lifecycle procedures for user, service, and machine accounts, including approval and documentation for deletion.
  • Restrict account deletion privileges to authorized administrators and controlled automation.
  • Require logging and retention for deletion events in operating systems, cloud identity systems, and directory services.
  • Validate that privileged and service account deletions trigger review or notification before they affect critical operations.
  • Maintain recovery or rollback procedures where supported by the identity platform, especially for critical accounts.
Analyst notes and limits

This object is a data component, not a technique. It describes the observable event of account removal and does not provide ATT&CK tactic mapping, platform enumeration, detection logic, or relationship context. Its value is strongest when used to test whether identity telemetry can support investigations, compliance reviews, and operational impact analysis after an account is removed.

ATT&CK did not provide official detection guidance, tactics, platforms, or relationships for this object. The description supports references to operating systems, cloud identity management systems, and directory services, but local products, event IDs, schemas, retention periods, and control effectiveness must be validated by the organization.

Official MITRE ATT&CK definition

User Account Deletion

The removal of a user, service, or machine account from an operating system, cloud identity management system, or directory service.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
bd70b12d87bad75c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle bd70b12d87ba…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DC0009
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use