账号访问移除是指攻击者通过删除、锁定或篡改凭证等手段阻断合法用户账户访问权限的攻击技术,通常作为勒索攻击或数据破坏行动的前置步骤。传统检测方法依赖进程监控(如net.exe、PowerShell使用模式)和Windows事件日志分析(ID 4723/4724/4726/4740),但存在误报率高、响应滞后等缺陷。防御方需结合用户行为基线分析,将账户变更事件与其它攻击指标进行关联研判。
为规避传统检测机制,攻击者发展出多维匿迹技术,通过操作痕迹伪装、工具链寄生和攻击时序重构等策略,将恶意账户操作深度隐匿于正常系统活动中。这些技术突破单点操作检测的局限性,构建出具备环境适应性的新型账户控制手段。
当前账号访问移除匿迹技术的共性在于攻击链的解耦与合法上下文的重构。凭证操作日志伪装通过双向篡改机制实现操作与审计证据的一致性伪造,在时间戳、进程树和用户上下文等维度构建完美攻击轨迹;系统管理工具链寄生执行则利用运维生态的信任传递特性,将恶意指令封装为标准化配置任务,借助工具链自身的权限脱敏和日志过滤功能实现攻击隐匿;分布式时间延迟锁定通过时空维度分解攻击强度,使单个节点的低频操作融入正常用户行为基线。三类技术的核心突破在于打破传统账户操作攻击的"原子性"特征,将高破坏性操作转化为具备持续性和隐蔽性的渐进式攻击进程。
匿迹技术的演进导致基于单事件告警的账户安全防护体系面临失效风险,防御方需构建操作意图识别模型,结合UEBA分析账户变更的上下文合理性,并实施跨系统的日志完整性保护机制,提升对隐蔽式账户操控的检测与响应能力。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ❌ |
| 数据遮蔽 | ✅ |
| 时空释痕 | ✅ |
攻击者通过深度模拟合法管理操作的工作流特征实现攻击隐匿。例如将账户删除指令嵌入Ansible剧本的合规配置任务中,或使用数字签名验证的PsExec工具执行锁定操作。这种手法使得恶意行为在进程树、网络协议和权限上下文等维度与正常运维活动完全一致,规避基于行为特征差异的检测规则。
在系统管理工具链寄生执行中,攻击者利用工具自带的日志脱敏功能或加密通信通道,隐藏恶意指令的关键参数。例如通过Base64编码嵌套删除命令,或使用TLS加密的WinRM协议传输篡改指令,使得网络流量分析和日志审计难以获取攻击实质内容。
分布式时间延迟锁定技术将集中式攻击分解为长周期、跨地域的低强度操作,单个节点的账户变更频率控制在目标环境的正常波动范围内。通过僵尸网络节点的智能调度,使攻击特征分散在不同时间窗口和地理区域,破坏基于操作集中性和时序关联性的检测模型。
| ID | Name | Description |
|---|---|---|
| G1024 | Akira |
Akira deletes administrator accounts in victim networks prior to encryption.[1] |
| S1134 | DEADWOOD |
DEADWOOD changes the password for local and domain users via |
| G1004 | LAPSUS$ |
LAPSUS$ has removed a targeted organization's global admin accounts to lock the organization out of all access.[3] |
| S0372 | LockerGoga |
LockerGoga has been observed changing account passwords and logging off current users.[4][5] |
| S0576 | MegaCortex |
MegaCortex has changed user account passwords and logged users off the system.[6] |
| S0688 | Meteor |
Meteor has the ability to change the password of local users on compromised hosts and can log off users.[7] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0026 | Active Directory | Active Directory Object Modification |
Monitor for changes made to AD settings for unexpected modifications to user accounts, such as deletions or potentially malicious changes to user attributes (credentials, status, etc.). Analytic 1 - Unusual password change operations
|
| DS0002 | User Account | User Account Deletion |
Monitor for unexpected deletions of user accounts. Windows event logs may designate activity associated with an adversary's attempt to remove an account (ex: Event ID 4726 - A user account was deleted). Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. |
| User Account Modification |
Monitor for changes made to user accounts for unexpected modification of properties, such as passwords or status (enabled/disabled). Windows event logs may designate activity associated with an adversary's attempt to remove access to an account:Event ID 4723 - An attempt was made to change an account's passwordEvent ID 4724 - An attempt was made to reset an account's passwordEvent ID 4725 - A user account was disabled Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. |