T1531 Account Access Removal

The following Microsoft Sentinel Hunting queries can identify potentially malicious behavior on user accounts: "AD Account Lockout", "Anomalous Password Reset", "SQL User deleted from Database", "User removed from SQL Server Roles", and "User removed from SQL Server SecurityAdmin Group". The Microsoft Sentinel Analytics "Sensitive Azure Key Vault operations" query can identify attempts to remove account access by deleting keys or entire key vaults.

The following GuardDuty Finding type flags events where adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Impact:IAMUser/AnomalousBehavior

AWS Security Hub performs a check from the AWS Foundations CIS Benchmark that, if implemented, would help towards detecting the modification of accounts. AWS Security Hub provides this detection with the following check. 3.4 Ensure a log metric filter and alarm exist for IAM policy changes This is scored as Partial because it only supports the monitoring of changes to AWS IAM accounts and not the accounts on instances of operating systems.

Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated: User Account is deleted or disabled Password for a user is changed or reset Multifactor authentication is enabled for the user Administrator explicitly revokes all refresh tokens for a user High user risk detected by Microsoft Entra ID Protection License Requirements: Continuous access evaluation will be included in all versions of Microsoft 365.

This control can identify anomalous admin activity.

Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft’s Authenticator app). When combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity (e.g., account creation, account deletion etc.). License Requirements: All Microsoft Entra ID licenses

This control's "Designate more than one global admin" can enable recovery from an adversary locking a global administrator account (deleted, locked, or manipulated (ex: changed credentials)). Due to this being a recommendation, its score is capped as Partial.

An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Account Access Removal attacks due to Incident Response monitoring for password change security alerts which monitors for changes made to user accounts for unexpected modification of properties. License Requirements: Microsoft Defender XDR