Windows Event ID 4726 — User Account Deleted

Why It Matters

Account deletion is both a cleanup technique and a destructive attack vector. Attackers who created backdoor accounts to maintain persistence (4720 + 4728) delete them post-operation to erase the persistence footprint before forensic review. Separately, deleting admin accounts is a destructive denial-of-service — it locks out legitimate administrators and forces a time-consuming account recreation process. The pattern to alert on: a 4720 event (account created) followed days or weeks later by a 4726 for the same account name is the classic backdoor creation → use → cleanup lifecycle.

Key Fields

Investigation Tips

1. 1.Backdoor cleanup IOC: search for 4720 events (account created) matching the deleted account name, particularly if the account was created in the past 1–30 days. A creation-to-deletion cycle without corresponding HR records is the attacker removing evidence of a persistence mechanism.
2. 2.Multiple account deletions in rapid succession (3+ within 5 minutes) from the same Subject is either bulk deprovisioning (should match HR action) or destructive attack. Correlate with change tickets — no matching tickets = incident.
3. 3.Admin account deletion without a prior 4725 (disable) is unusual for legitimate offboarding. Standard IT practice disables first, then deletes after a waiting period. Abrupt deletion without the intermediate disable step suggests either automation or malicious intent.
4. 4.Check the Subject Account Name's recent activity — if the account that performed the deletion itself shows unusual logon patterns, it may be a compromised admin being used for cleanup. Trace via Subject Logon ID.
5. 5.Domain admin deletions are the highest priority. A deleted domain admin account cannot be restored from a 4726 event — the team must manually recreate the account and reassign all permissions. Any domain admin deletion outside of a known departure or role elimination requires immediate verification.

Related Event IDs

Frequently Asked Questions

Is Event ID 4726 always a sign of an attack?

No — account deletion is a normal part of IT offboarding. HR departures, contractor role completions, and decommissioned service accounts all generate 4726 events. The indicators that differentiate a malicious deletion from a legitimate one: no matching HR record or change ticket, deletion of an admin account, deletion of an account that was created recently (days to weeks ago) without going through a standard provisioning lifecycle, deletion by an unexpected or compromised Subject Account, or multiple deletions in rapid succession without an HR batch action.

How do attackers use account deletion to cover their tracks?

After achieving their objective — data exfiltration, deploying ransomware, establishing other persistence mechanisms — attackers delete the backdoor accounts they created. This removes the most obvious artifact of their persistence from Active Directory. The deletion itself generates a 4726 event, but without a corresponding 4720 to link it to, the event looks like a routine deprovisioning. Alert on the creation-deletion lifecycle: search for any 4726 where a 4720 for the same account name exists within the past 30 days and no HR ticket corresponds. The time between creation and deletion is often a reliable indicator — legitimate accounts are rarely created and deleted within days.

Can a deleted domain account be recovered from Event ID 4726?

Not directly from the event log. Event ID 4726 confirms the deletion happened and identifies who did it, but it does not contain enough information to reconstruct the account. Recovering a deleted AD account requires either Active Directory Recycle Bin (if enabled, available in AD 2008 R2+ at the right functional level) or restoring from a backup. If you discover a malicious 4726 quickly enough and AD Recycle Bin is enabled, the account object may still be in the recycle bin. Otherwise, full recreation (including all group memberships, permissions, and SPNs) is required.