Event ID 4726 — A user account was deleted.
Description
A user account was deleted.
Message #
Fields #
| Name | Description |
|---|---|
Account_Name | [Target Account] Account Name. |
Account_Domain | [Target Account] Account Domain. |
Security_ID | [Target Account] Security ID. |
Security_ID | [Subject] Security ID. |
Account_Name | [Subject] Account Name. |
Account_Domain | [Subject] Account Domain. |
Logon_ID | [Subject] Logon ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4726,
"version": 0,
"level": 0,
"task": 13824,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2022-01-24T17:03:25.009874Z",
"event_record_id": 1934526,
"correlation": {},
"execution": {
"process_id": 480,
"thread_id": 1496
},
"channel": "Security",
"computer": "fs03vuln.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"TargetUserName": "3teamssixf$",
"TargetDomainName": "FS03VULN",
"TargetSid": "S-1-5-21-2721507831-1374043488-2540227515-1008",
"SubjectUserSid": "S-1-5-21-4230534742-2542757381-3142984815-1111",
"SubjectUserName": "admmig",
"SubjectDomainName": "OFFSEC",
"SubjectLogonId": "0x14f509e2",
"PrivilegeList": "-"
}
}
Detection Patterns #
User Account
Security-Auditing Event ID 4720: A user account was created.ANDEvent ID 4722: A user account was enabled.ANDEvent ID 4723: An attempt was made to change an account's password.ANDEvent ID 4724: An attempt was made to reset an account's password.ANDEvent ID 4725: A user account was disabled.ANDEvent ID 4726: A user account was deleted.ANDEvent ID 4728: A member was added to a security-enabled global group.ANDEvent ID 4732: A member was added to a security-enabled local group.ANDEvent ID 4733: A member was removed from a security-enabled local group.ANDEvent ID 4738: A user account was changed.ANDEvent ID 4743: A computer account was deleted.ANDEvent ID 4780: The ACL was set on accounts which are members of administrators groups.
6 rules
Security-Auditing Event ID 4720: A user account was created.→Event ID 4726: A user account was deleted.
3 rules
Kusto Query Language
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Windows Multiple Accounts Deleted source: The following analytic detects the deletion of more than five unique Windows accounts within a 10-minute period, using Event Code 4726 from the Windows Security Event Log. It leverages the `wineventlog_security` dataset, segmenting data into 10-minute intervals to identify suspicious account deletions. This activity is significant as it may indicate an attacker attempting to erase traces of their actions. If confirmed malicious, this could lead to unauthorized access removal, hindering incident response and forensic investigations.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4726
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4726
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx