ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: DT056
  • Created: 09th June 2024
  • Updated: 17th June 2024
  • Platform: Windows
  • Contributor: The ITM Team

User Account Deleted, Windows Event Log

Additional configuration may be required for these Event logs to be generated.

Within the Security log, Event ID 4726 (A user account was deleted) and Event ID 4743 (Computer account was successfully deleted) can be used to identify account deletion.

These two Event logs contain the account domain, name, and SID of both the account requesting the deletion, and the target account to be deleted.

Sections

ID Name Description
AF013Delete User Account

A subject may delete user accounts to obscure their activities and delete all files associated with that user.

AF013.001Delete Local Windows User

A subject may delete user accounts to obscure their activities and delete files and information associated with that user.

AF013.002Delete Windows Active Directory User

A subject may delete user accounts to obscure their activities and delete files and information associated with that user.