T1531: T1531
Essential information
- MITRE technique ID
T1531- Confidence
- 100/100
- Revoked
- No
- Published
- 09/10/2019 20:48
- Modified
- 21/04/2026 17:28
- Author / Source
- The MITRE Corporation
Aliases
Account Access Removal
Platforms
windows macos linux IaaS ESXi Office Suite SaaS
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | impact |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (16)
-
Crimson usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and…
First seen 01/01/1970 · Last seen 16/11/5138 · -
CL0P usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Bl00dy usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (80)
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Transparent Tribe usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Anubis usesFamily The MITRE Corporation Confidence 100
[Anubis](https://attack.mitre.org/software/S0422) is Android malware that was originally used for cyber espionage, and has been retooled as a banking trojan.(Citation: Cofense Anubis)
First seen 01/01/1970 · Last seen 16/11/5138 · -
seaspray usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
EvilTokens usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
JokerSpy usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
QuackBot usesThe MITRE Corporation Confidence 100
[QakBot](https://attack.mitre.org/software/S0650) is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. [QakBot](https://attack.mitre.org/software/S0650) is continuously maintained and developed and has evolved from…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Cuba usesFamily The MITRE Corporation Confidence 100
[Cuba](https://attack.mitre.org/software/S0625) is a Windows-based ransomware family that has been used against financial institutions, technology, and logistics organizations in North and South America as well as Europe since at…
First seen 01/01/1970 · Last seen 16/11/5138 · -
WHIRLPOOL usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Hancitor usesFamily The MITRE Corporation Confidence 100
[Hancitor](https://attack.mitre.org/software/S0499) is a downloader that has been used by [Pony](https://attack.mitre.org/software/S0453) and other information stealing malware.(Citation: Threatpost Hancitor)(Citation: FireEye Hancitor)
First seen 01/01/1970 · Last seen 16/11/5138 · -
BlackCat usesFamily The MITRE Corporation Confidence 100
[BlackCat](https://attack.mitre.org/software/S1068) is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) model. First observed November 2021, [BlackCat](https://attack.mitre.org/software/S1068) has been used to target multiple sectors and…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Android/InfoStealer usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (8)
-
AlienVault Confidence 100 3 CVEs 20 MITREs 2 Malwares 2 IOCs 2 Observables
-
Threat landscape — insurance relatedConfidence 100 199 MITREs 11 APTs
-
19 MITREs 1 Malware
-
18 MITREs 5 Malwares
-
18 MITREs 5 Malwares 1 APT
-
11 MITREs 65 Observables 1 APT
-
3 CVEs 32 MITREs 1 Malware 2 Observables 1 APT
-
7 MITREs 1 Malware 14 Observables
Vulnerabilities (CVE) (38)
Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …
- Attack vector
- Network
- Published
- 12/04/2024
- Modified
- 21/12/2025
A command injection vulnerability in the CGI program of some Zyxel firewall versions could allow an attacker to modify specific files and …
- Published
- 16/05/2022
- Modified
- 20/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for authenticated remote code execution. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41040 …
- Attack vector
- Adjacent
- Published
- 30/09/2022
- Modified
- 20/12/2025
Atlassian Confluence Data Center and Server contains a broken access control vulnerability that allows an attacker to create unauthorized Confluence administrator accounts …
- Attack vector
- Network
- Published
- 05/10/2023
- Modified
- 21/12/2025
Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …
- Attack vector
- Network
- Published
- 10/01/2024
- Modified
- 27/05/2026
Atlassian Confluence Data Center and Server contain an improper authorization vulnerability that can result in significant data loss when exploited by an …
- Attack vector
- Network
- Published
- 07/11/2023
- Modified
- 21/12/2025
Multiple versions of Fortinet FortiOS SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute arbitrary …
- Attack vector
- Network
- Published
- 13/12/2022
- Modified
- 20/12/2025
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense …
- Attack vector
- Network
- Published
- 25/09/2025
- Modified
- 21/12/2025
Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for remote code execution.
- Attack vector
- Network
- Published
- 15/03/2023
- Modified
- 21/12/2025
F5 BIG-IP Configuration utility contains an authentication bypass using an alternate path or channel vulnerability due to undisclosed requests that may allow …
- Attack vector
- Network
- Published
- 31/10/2023
- Modified
- 21/12/2025
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense …
- Attack vector
- Network
- Published
- 25/09/2025
- Modified
- 21/12/2025
Multiple Zoho ManageEngine products contain an unauthenticated remote code execution vulnerability due to the usage of an outdated third-party dependency, Apache Santuario.
- Attack vector
- Network
- Published
- 23/01/2023
- Modified
- 20/12/2025