Skip to content

Hide Navigation Hide TOC

User Account Deletion (d6257b8e-869c-41c0-8731-fdca40858a91)

The removal of a user, service, or machine account from an operating system, cloud identity management system, or directory service.

Data Collection Measures:

  • Host-Based Logging
    • Windows Event Logs
      • Event ID 4726 – A user account was deleted.
      • Event ID 4733/4735 – A user was removed from a privileged group.
      • Event ID 1102 – Security log was cleared (potential cover-up).
    • Linux/macOS Authentication Logs
      • /var/log/auth.log, /var/log/secure – Logs userdel, deluser, passwd -l.
      • AuditD – Tracks account deletions via PAM events (userdel).
      • OSQuery – The users table can detect account removal.
  • Cloud-Based Logging
    • Azure AD Logs
      • Azure AD Audit Logs – Tracks user and service account deletions.
      • Azure Graph API – Monitors identity changes.
    • AWS IAM & CloudTrail Logs
      • DeleteUser, DeleteRole – Tracks IAM user deletion.
      • DetachRolePolicy – Identifies privilege revocation before deletion.
    • Google Workspace & Office 365 Logs
      • Google Admin Console – Logs user removal activities.
      • Microsoft 365 Unified Audit Log – Captures deleted accounts in Active Directory.
  • Container & Network Account Deletion Logs
    • Kubernetes Service Account Deletion
      • kubectl audit logs – Detects when service accounts are removed from pods.
      • GKE/Azure AKS Logs – Track containerized identity removals.
Cluster A Galaxy A Cluster B Galaxy B Level
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern User Account Deletion (d6257b8e-869c-41c0-8731-fdca40858a91) mitre-data-component 1
Account Access Removal - T1531 (b24e2a20-3b3d-4bf0-823b-1ed765398fb0) Attack Pattern User Account Deletion (d6257b8e-869c-41c0-8731-fdca40858a91) mitre-data-component 1
User Account Deletion (d6257b8e-869c-41c0-8731-fdca40858a91) mitre-data-component Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33) Attack Pattern 1
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33) Attack Pattern 2