Anti-Forensics
Clear Browser Artifacts
Clear Command History
Clear Operating System Logs
Delete User Account
Disk Wiping
File Deletion
File Encryption
Hide Artifacts
Log Tampering
Modify Windows Registry
Physical Destruction of Storage Media
Physical Removal of Disk Storage
Steganography
System Shutdown
Timestomping
Tripwires
Uninstalling Software
Use of a Virtual Machine
- ID: AF013.001
- Created: 25th May 2024
- Updated: 14th June 2024
- Platform: Windows
- Contributor: The ITM Team
Delete Local Windows User
A subject may delete user accounts to obscure their activities and delete files and information associated with that user.
Prevention
ID | Name | Description |
---|---|---|
PV002 | Restrict Access to Administrative Privileges | The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role. |
Detection
ID | Name | Description |
---|---|---|
DT056 | User Account Deleted, Windows Event Log | Additional configuration may be required for these Event logs to be generated. Within the Security log, Event ID 4726 (A user account was deleted) and Event ID 4743 (Computer account was successfully deleted) can be used to identify account deletion. These two Event logs contain the account domain, name, and SID of both the account requesting the deletion, and the target account to be deleted. |