ATT&CKcon 5.0 returns October 22-23, 2024 in McLean, VA. Register for in-person participation here. Stay tuned for virtual registration!

Account Access Removal

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: credentials changed) to remove access to accounts.

ID: T1640

Sub-techniques: No sub-techniques

Tactic Type: Post-Adversary Device Access

ⓘ

Tactic: Impact

ⓘ

Platforms: Android

Version: 1.1

Created: 06 April 2022

Last Modified: 15 March 2023

Procedure Examples

ID	Name	Description
S0407	Monokle	Monokle can reset the user's password/PIN.^[1]

Mitigations

ID	Mitigation	Description
M1011	User Guidance	Users should be taught that Device Administrator permissions are very dangerous, and very few applications need it.

Detection

ID	Data Source	Data Component	Detects
DS0041	Application Vetting	Permissions Requests	Application vetting services could closely scrutinize applications that request Device Administrator permissions.

References

Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.