Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
Adversaries may also subsequently log off and/or reboot boxes to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_sentinel | Azure Sentinel | technique_scores | T1531 | Account Access Removal |
Comments
The following Azure Sentinel Hunting queries can identify potentially malicious behavior on user accounts: "AD Account Lockout", "Anomalous Password Reset", "SQL User deleted from Database", "User removed from SQL Server Roles", and "User removed from SQL Server SecurityAdmin Group".
The Azure Sentinel Analytics "Sensitive Azure Key Vault operations" query can identify attempts to remove account access by deleting keys or entire key vaults.
References
|
| cloud_app_security_policies | Cloud App Security Policies | technique_scores | T1531 | Account Access Removal |
Comments
This control can identify anomalous admin activity.
References
|
| azure_ad_identity_secure_score | Azure AD Identity Secure Score | technique_scores | T1531 | Account Access Removal |
Comments
This control's "Designate more than one global admin" can enable recovery from an adversary locking a global administrator account (deleted, locked, or manipulated (ex: changed credentials)). Due to this being a recommendation, its score is capped as Partial.
References
|