From f8b8d883925962869f2881130fb35b7cc5624f36 Mon Sep 17 00:00:00 2001
From: "@" <@>
Date: Sun, 27 Sep 2020 11:27:02 -0500
Subject: [PATCH] T1531 added

---
 Tactics/Impact.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Tactics/Impact.md b/Tactics/Impact.md
index 547d6cf..323662c 100644
--- a/Tactics/Impact.md
+++ b/Tactics/Impact.md
@@ -3,6 +3,11 @@
 ### T1531 Account Access Removal
 Atomics: [T1531](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md)
 
+Detects the deletion of a local user account or removal of Active Directory groups through powershell cmdlets. No detection for account password resets for purpose of impact due to false detections.
+
+```
+SrcProcCmdline RegExp "net\s+user(?:(?!\s+/delete)(?:.|\n))*\s+/delete" OR TgtProcCmdLine  ContainsCIS "Remove-ADGroupMember" OR SrcProcCmdScript ContainsCIS "Remove-ADGroupMember"
+```
 
 ### T1485 Data Destruction
 Atomics: [T1485](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md)