title: Account Access Removal
description: Detects the deletion of a local user account or removal of Active Directory
  groups through powershell cmdlets.
author: keyboardcrunch
date: 10/10/2020
modified: 05/12/2020
mitre:
   tactic: Impact
   technique: T1531
   subtechnique: 
operating_system: windows
query: SrcProcCmdline RegExp "net\s+user(?:(?!\s+/delete)(?:.|\n))*\s+/delete" OR
  TgtProcCmdLine  ContainsCIS "Remove-ADGroupMember" OR SrcProcCmdScript ContainsCIS
  "Remove-ADGroupMember"
false_positives: 
tags: 
references: