DC0009 User Account Deletion
| Item | Value |
|---|---|
| ID | DC0009 |
| Version | 2.0 |
| Created | 20 October 2021 |
| Last Modified | 12 November 2025 |
Log Sources
| Name | Channel |
|---|---|
| esxi:hostd | method=RemoveUser or esxcli system account remove invocation |
| m365:unified | Remove-Mailbox, Set-Mailbox |
| WinEventLog:Security | EventCode=4726, 4657 |
Detection Strategy
| ID | Name | Technique Detected |
|---|---|---|
| DET0120 | Account Access Removal via Multi-Platform Audit Correlation | T1531 |
| DET0040 | Detection of Persistence Artifact Removal Across Host Platforms | T1070.009 |