EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4726Audit SuccessSecurity

Windows Event ID 4726User Account Deleted

Logged when a user account is permanently deleted from the system or directory.

Why It Matters

Deletion of admin accounts can be a destructive attack designed to lock out administrators. Deletion of recently created accounts can indicate attackers cleaning up backdoor accounts after completing their objective.

Key Fields

Target Account NameThe deleted account
Subject Account NameWho deleted it

Investigation Tips

  1. 1.If the deleted account was an admin, investigate immediately — this may be a disruptive attack.
  2. 2.Check if the deleted account was created recently (look back for 4720) — cleanup of a backdoor account.

Related Event IDs

4720Account created — check if this was a backdoor being cleaned up
4725Account disabled — less destructive alternative

See Event ID 4726 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects user account deleted patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →