T1531.md

T1531 - Account Access Removal

Description from ATT&CK

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.

Adversaries may also subsequently log off and/or reboot boxes to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)

Atomic Tests

• Atomic Test #1 - Change User Password - Windows

• Atomic Test #2 - Delete User - Windows

Atomic Test #1 - Change User Password - Windows

Changes the user password to hinder access attempts. Seen in use by LockerGoga.

Supported Platforms: Windows

Inputs

Name	Description	Type	Default Value
user_account	User account whose password will be changed.	string	Administrator
new_password	New password for the specified account.	string	HuHuHUHoHo283283@dJD

Run it with command_prompt! Elevation Required (e.g. root or admin)

net.exe user #{user_account} #{new_password}

Commands to Check Prerequisites:

net.exe user #{user_account}

Atomic Test #2 - Delete User - Windows

Deletes a user account to prevent access.

Supported Platforms: Windows

Inputs

Name	Description	Type	Default Value
user_account	User account to be deleted.	string	AtomicUser

Run it with command_prompt! Elevation Required (e.g. root or admin)

net.exe user #{user_account} /delete

Commands to Check Prerequisites:

net.exe user #{user_account} /add
net.exe user #{user_account} P@$$w0rd