ATT&CK v18 has been released! Check out the blog post or changelog for more information.

User Account Deletion

The removal of a user, service, or machine account from an operating system, cloud identity management system, or directory service.

ID: DC0009

Domains: Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 12 November 2025

Log Sources

Name	Channel
esxi:hostd	method=RemoveUser or esxcli system account remove invocation
m365:unified	Remove-Mailbox, Set-Mailbox
WinEventLog:Security	EventCode=4726, 4657

ID	Name	Technique Detected
DET0120	Account Access Removal via Multi-Platform Audit Correlation	T1531
DET0040	Detection of Persistence Artifact Removal Across Host Platforms	T1070.009