Delete User Account

A subject may delete user accounts to obscure their activities and delete files and information associated with that user.

A subject may delete user accounts to obscure their activities and delete files and information associated with that user.

A subject may delete user accounts to obscure their activities and delete files and information associated with that user.

A subject may delete user accounts to obscure their activities and delete files and information associated with that user.

The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role.

An agent capable of Endpoint Detection and Response (EDR) is a software agent installed on organization endpoints (such as laptops and servers) that (at a minimum) records the Operating System, application, and network activity on an endpoint.

Typically EDR operates in an agent/server model, where agents automatically send logs to a server, where the server correlates those logs based on a rule set. This rule set is then used to surface potential security-related events, that can then be analyzed.

An EDR agent typically also has some form of remote shell capability, where a user of the EDR platform can gain a remote shell session on a target endpoint, for incident response purposes. An EDR agent will typically have the ability to remotely isolate an endpoint, where all network activity is blocked on the target endpoint (other than the network activity required for the EDR platform to operate).

Additional configuration may be required for these Event logs to be generated.

Within the Security log, Event ID 4726 (A user account was deleted) and Event ID 4743 (Computer account was successfully deleted) can be used to identify account deletion.

These two Event logs contain the account domain, name, and SID of both the account requesting the deletion, and the target account to be deleted.