Detections
- Home
- - Detections
- -DT056
- ID: DT056
- Created: 09th June 2024
- Updated: 17th June 2024
- Platform: Windows
- Contributor: The ITM Team
User Account Deleted, Windows Event Log
Additional configuration may be required for these Event logs to be generated.
Within the Security log, Event ID 4726 (A user account was deleted) and Event ID 4743 (Computer account was successfully deleted) can be used to identify account deletion.
These two Event logs contain the account domain, name, and SID of both the account requesting the deletion, and the target account to be deleted.
Sections
ID | Name | Description |
---|---|---|
AF013 | Delete User Account | A subject may delete user accounts to obscure their activities and delete all files associated with that user. |
AF013.001 | Delete Local Windows User | A subject may delete user accounts to obscure their activities and delete files and information associated with that user. |
AF013.002 | Delete Windows Active Directory User | A subject may delete user accounts to obscure their activities and delete files and information associated with that user. |