4726 A user account was deleted
Written when a user account is deleted. It captures an attacker erasing an account they are done with to hide traces, or the disruptive deletion of a legitimate account.
Overview
The subcategory is Audit User Account Management. It is generated when an account is deleted. Paired with creation 4720, read it across the account’s lifecycle.
How it is triggered
- Deletion via
net user /delete, account deletion in AD,Remove-ADUser, and so on.
Security review points
- There is a pattern where an attacker deletes an account they created and used during a breach, after achieving their goal, to erase traces (defense evasion). A short sequence of creation 4720, use, then deletion 4726 suggests a coherent attack.
- Deletion of an important legitimate account (administrator, service account) can mean availability disruption or configuration destruction, so investigate.
Notes for log review
- It occurs during offboarding (many operations only disable, not delete) and cleanup. Check that the deletion target, acting subject, and timing align with the operational flow.
- Since deletion loses the account information, reconstruct what the account was by cross-referencing pre-deletion logs such as creation and group addition 4732.
Key fields
| Field | Meaning |
|---|---|
Target Account\Account Name | The deleted account |
Subject\Account Name | The subject that performed the deletion |