Is deleting a computer account suspicious?

Computer account deletions are routine in environments with regular hardware refresh cycles, VM decommissions, and AD cleanup processes. Legitimate deletions are performed by Domain Admins or AD lifecycle management tools and correspond to actual hardware being retired or VMs being destroyed. The suspicious signals are: (1) a non-Domain Admin performing the deletion, (2) a short-lived account (created and deleted within days), (3) an account name that does not match your naming convention, (4) no corresponding decommission ticket, SCCM removal record, or similar documentation. Individual 4743 events are low priority; 4743 events correlated with a matching 4741 from the same non-admin account are high priority.

How does Event 4743 fit into a DCShadow attack?

DCShadow is an Active Directory attack where an attacker with Domain Admin privileges registers a rogue domain controller by creating a computer account and nTDSDSA object in AD (generating 4741), then uses the DRS (Directory Replication Service) protocol to push arbitrary AD changes — including password changes, SIDHistory injection, and AdminSDHolder modifications — directly into the domain without generating the standard 4720/4728/4738 events that would normally appear. After the malicious replication is complete, the attacker deletes the rogue DC registration (generating 4743). The detection relies on 4741 + 4928/4929 from a non-DC IP + 4743 appearing in close temporal proximity. Without correlating all three, individual events appear benign — this is why DCShadow is specifically designed to evade detection tools that analyze events in isolation.

What is the attacker lifecycle for computer account abuse?

The typical attacker lifecycle for computer account abuse follows a create-configure-use-delete pattern. Step 1 (4741): attacker creates a computer account using MachineAccountQuota abuse — any domain user can do this without admin rights, using tools like PowerMad. Step 2 (4742): attacker configures the account for the attack — adds SPNs for Kerberoasting, sets delegation attributes for RBCD, or sets a known password. Step 3: attacker executes the attack — requests service tickets to crack (Kerberoasting) or uses S4U2Proxy to impersonate admin users (RBCD). Step 4 (4743): attacker deletes the computer account to remove the visible artifact from AD. Even after deletion, all four events remain in the Security event log, which is why comprehensive event log retention with correlation rules across 4741, 4742, 4743, and 4769 is the reliable detection method.

Scan your Security and Sysmon logs·Detection guides

Event ID 4743Audit SuccessSecurityT1098

Windows Event ID 4743 — Computer Account Deleted

Logged when a computer account is deleted from Active Directory. Attackers delete computer accounts as post-attack cleanup after MachineAccountQuota abuse, Kerberoasting, RBCD attacks, or DCSync/DCShadow operations. A computer account created for an attack and deleted within days is the backdoor-create-use-delete lifecycle — the account is gone, but the events remain in the log.

MITRE ATT&CK

Technique

T1098 · Account Manipulation

Tactic

Persistence

View on attack.mitre.org →

Why It Matters

Computer account deletion by itself is not suspicious, but in the context of the attack lifecycle it is the cleanup phase. If a 4743 event matches a 4741 event where a non-admin created the account, and the account was short-lived with no corresponding SCCM enrollment or AD join record, the full lifecycle (create → use → delete) is preserved in the event log. For DCShadow attacks specifically, 4743 is the final event in the chain — the rogue DC registration is cleaned up via LDAP, and detection depends on correlating this deletion against the preceding 4741 and any 4928/4929 replication events.

Key Fields

Computer Account NameThe name of the deleted computer account. Random names like WIN-A3B7C$ or generic names that do not match your machine naming convention indicate attacker-created accounts — these are the highest priority deletions to investigate.

Subject Account NameThe account that performed the deletion. Legitimate deletions are performed by Domain Admins or automated AD lifecycle management tools. The same non-admin account that created the computer account (visible in 4741) performing the deletion is the clearest signal of attacker cleanup.

Subject Logon IDLinks the deletion event to the deleter's active logon session — cross-reference with Event 4624 to identify the source IP and authentication method used for the session that performed the cleanup.

Investigation Tips

1.Correlate 4743 with the preceding 4741: search for a 4741 event with the same Computer Account Name. If the account was created and deleted within days and there is no corresponding SCCM, Intune, or manual IT record explaining the machine's lifecycle, this is attacker cleanup. The time delta between creation and deletion is the exploitation window.
2.Check if the deleted account had SPNs: if the 4741 event for the deleted account showed Service Principal Names were set, correlate with 4769 events for those SPNs between the creation and deletion timestamps. Any service ticket requests during that window confirm the account was used for Kerberoasting before cleanup.
3.Creator equals deleter on a non-admin account: for MachineAccountQuota abuse, the attacker who created the account (Subject Account Name in 4741) is typically the same account that deletes it (Subject Account Name in 4743). A non-admin account that appears in both a 4741 and a matching 4743 is a confirmed attacker-controlled account.
4.DCShadow final cleanup: DCShadow attacks register a rogue DC via LDAP (4741), push malicious changes through replication, then delete the rogue DC registration (4743). The DCShadow signature is 4741 (rogue DC created by non-admin or attacker-controlled account) + 4928/4929 (replication to/from unexpected IP) + 4743 (rogue DC deleted). All three events together are a confirmed DCShadow execution.

Related Event IDs

4741Computer account created — the matching creation event; 4741+4743 pair without an AD join record is the backdoor lifecycle

4742Computer account changed — modifications between creation and deletion show the attack payload (SPNs, delegation) that was deployed during the exploitation window

4769Kerberos service ticket — requests against the now-deleted account's SPN between its creation and deletion confirm Kerberoasting use

Frequently Asked Questions

Is deleting a computer account suspicious?: Computer account deletions are routine in environments with regular hardware refresh cycles, VM decommissions, and AD cleanup processes. Legitimate deletions are performed by Domain Admins or AD lifecycle management tools and correspond to actual hardware being retired or VMs being destroyed. The suspicious signals are: (1) a non-Domain Admin performing the deletion, (2) a short-lived account (created and deleted within days), (3) an account name that does not match your naming convention, (4) no corresponding decommission ticket, SCCM removal record, or similar documentation. Individual 4743 events are low priority; 4743 events correlated with a matching 4741 from the same non-admin account are high priority.
How does Event 4743 fit into a DCShadow attack?: DCShadow is an Active Directory attack where an attacker with Domain Admin privileges registers a rogue domain controller by creating a computer account and nTDSDSA object in AD (generating 4741), then uses the DRS (Directory Replication Service) protocol to push arbitrary AD changes — including password changes, SIDHistory injection, and AdminSDHolder modifications — directly into the domain without generating the standard 4720/4728/4738 events that would normally appear. After the malicious replication is complete, the attacker deletes the rogue DC registration (generating 4743). The detection relies on 4741 + 4928/4929 from a non-DC IP + 4743 appearing in close temporal proximity. Without correlating all three, individual events appear benign — this is why DCShadow is specifically designed to evade detection tools that analyze events in isolation.
What is the attacker lifecycle for computer account abuse?: The typical attacker lifecycle for computer account abuse follows a create-configure-use-delete pattern. Step 1 (4741): attacker creates a computer account using MachineAccountQuota abuse — any domain user can do this without admin rights, using tools like PowerMad. Step 2 (4742): attacker configures the account for the attack — adds SPNs for Kerberoasting, sets delegation attributes for RBCD, or sets a known password. Step 3: attacker executes the attack — requests service tickets to crack (Kerberoasting) or uses S4U2Proxy to impersonate admin users (RBCD). Step 4 (4743): attacker deletes the computer account to remove the visible artifact from AD. Even after deletion, all four events remain in the Security event log, which is why comprehensive event log retention with correlation rules across 4741, 4742, 4743, and 4769 is the reliable detection method.

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 4743 →

See Event ID 4743 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects computer account deleted patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →

← All detection guides·Analyze EVTX Logs Free →