T1531: Account Access Removal
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials, revoked permissions for SaaS platforms such as Sharepoint) to remove access to accounts.[1] Adversaries may also subsequently log off and/or perform a System Shutdown/Reboot to set malicious changes into place.[2][3]
In Windows, Net utility, Set-LocalUser and Set-ADAccountPassword PowerShell cmdlets may be used by adversaries to modify user accounts. Accounts could also be disabled by Group Policy. In Linux, the passwd utility may be used to change passwords. On ESXi servers, accounts can be removed or modified via esxcli (`system account set`, `system account remove`).
Adversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as Data Destruction and Defacement, in order to impede incident response/recovery before completing the Data Encrypted for Impact objective.
Analyst context for executives and security teams
Account Access Removal matters because it turns identity administration into an availability attack. Instead of only stealing data or encrypting systems, an adversary may delete, lock, disable, change credentials, or revoke permissions for legitimate accounts across endpoints, SaaS, IaaS, office suites, and ESXi. For leaders, this is a recovery-readiness issue: if responders, administrators, service accounts, or business users lose access during an incident, containment and restoration can slow down significantly.
Executive priority
Treat this technique as an impact and resilience control test. Executives should ask whether the organization can still administer identity, cloud, SaaS, ESXi, and endpoint environments if privileged accounts are disabled or passwords are changed. This is especially relevant to ransomware, wiper, and extortion scenarios represented in the supplied relationships, where account disruption may be used to impede response before or alongside destructive actions.
Technical view
SOC, detection engineering, and IR teams should validate audit correlation across account lifecycle changes on Windows, Linux, macOS, SaaS, IaaS, Office Suite, and ESXi. The ATT&CK object specifically references Windows Net, PowerShell cmdlets such as Set-LocalUser and Set-ADAccountPassword, Group Policy account disabling, Linux passwd usage, and ESXi esxcli account set/remove activity. Because no official MITRE detection text is provided, teams should use the related DET0120 detection strategy concept—multi-platform audit correlation—as the defensive direction rather than relying on one log source.
Likely telemetry
- Identity provider and directory audit logs for account deletion, disablement, lockout, password reset, permission revocation, and group membership changes
- Windows security, PowerShell, process creation, and Group Policy change telemetry related to account modification
- Linux authentication and account management logs, including passwd-related activity
- SaaS and Office Suite audit logs for user access revocation and permission changes, including SharePoint/Microsoft 365-style access changes where applicable
- IaaS control-plane logs for identity, role, policy, and access key changes
Detection direction
- Correlate unusual or high-volume account disablement, deletion, password reset, lockout, or permission revocation across platforms rather than monitoring only endpoint events.
- Prioritize alerts involving privileged, break-glass, administrator, service, backup, security tooling, and incident response accounts.
- Tune for legitimate administrative maintenance, HR offboarding, password rotation, and access review workflows to reduce false positives.
- Look for account access changes occurring shortly before or during other impact behaviors such as system shutdown/reboot, data destruction, defacement, or data encryption for impact, as described by ATT&CK.
- Validate that SaaS, IaaS, Office Suite, and ESXi administrative actions are ingested into the same investigation workflow as Windows and Linux account events.
Mitigation priorities
- Maintain resilient administrative access paths, including protected emergency access accounts and documented recovery procedures.
- Restrict and monitor who can disable accounts, reset passwords, revoke SaaS/IaaS permissions, alter Group Policy, or modify ESXi accounts.
- Separate day-to-day administrative accounts from emergency recovery accounts and protect critical service, backup, and security operations accounts from routine administrative blast radius.
- Ensure audit logging is enabled and retained for account and permission changes across identity, endpoint, SaaS, cloud, and virtualization platforms.
- Test incident response playbooks for scenarios where administrator, responder, or business-critical accounts are locked, removed, or altered.
Analyst notes and limits
This technique is categorized under the impact tactic and spans Linux, macOS, Windows, SaaS, IaaS, Office Suite, and ESXi. The supplied relationships connect it to ransomware, wiper, and extortion-related actors or software, reinforcing its value as a resilience and incident response readiness concern. The strongest defensive framing is not a single signature but cross-platform audit correlation around account and permission state changes.
MITRE did not provide official detection text for this object. The recommended telemetry and detection direction are derived from the official description, listed platforms, named utilities/cmdlets, and the supplied DET0120 relationship. Local validation is required to confirm which identity, SaaS, cloud, endpoint, and ESXi logs are actually collected and retained.
Account Access Removal
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials, revoked permissions for SaaS platforms such as Sharepoint) to remove access to accounts.[1] Adversaries may also subsequently log off and/or perform a System Shutdown/Reboot to set malicious changes into place.[2][3]
In Windows, Net utility, Set-LocalUser and Set-ADAccountPassword PowerShell cmdlets may be used by adversaries to modify user accounts. Accounts could also be disabled by Group Policy. In Linux, the passwd utility may be used to change passwords. On ESXi servers, accounts can be removed or modified via esxcli (`system account set`, `system account remove`).
Adversaries who use ransomware or similar attacks may first perform this and other Impact behaviors, such as Data Destruction and Defacement, in order to impede incident response/recovery before completing the Data Encrypted for Impact objective.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Groups, software, and campaigns
G1024: Akira
Akira is a ransomware variant and ransomware deployment entity active since at least March 2023.[1] Akira uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement.[1][2] Akira operations are associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of Akira ransomware indicates variants capable of targeting Windows or VMWare ESXi hypervisors and multiple overlaps with Conti ransomware.[3][4][5]
G1004: LAPSUS$
LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.[1][2][3]
S0576: MegaCortex
MegaCortex is ransomware that first appeared in May 2019. [1] MegaCortex has mainly targeted industrial organizations. [2][3]
S0372: LockerGoga
LockerGoga is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.[1][2]
S0688: Meteor
Meteor is a wiper that was used against Iranian government organizations, including Iranian Railways, the Ministry of Roads, and Urban Development systems, in July 2021. Meteor is likely a newer version of similar wipers called Stardust and Comet that were reportedly used by a group called "Indra" since at least 2019 against private companies in Syria.[1]
S1134: DEADWOOD
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.5 | Current bundle | d1a1b18c7a4d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Obsidian Security SaaS Ransomware June 2023
Obsidian Threat Research Team. (2023, June 6). SaaS Ransomware Observed in the Wild for Sharepoint in Microsoft 365. Retrieved October 5, 2025.
Open source URL -
[2]
CarbonBlack LockerGoga 2019
CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat Intelligence Notification – LockerGoga Ransomware. Retrieved April 16, 2019.
Open source URL -
[3]
Unit42 LockerGoga 2019
Harbison, M. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019.
Open source URL -
[4]
mitre-attack T1531Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.