Windows Event ID 4748 – Microsoft-Windows-Security-Auditing: Computer Account Deleted

Start by examining the specific Event ID 4748 details to understand what computer account was deleted and who performed the action.

1. Open Event Viewer on the domain controller
2. Navigate to Windows Logs → Security
3. Filter for Event ID 4748 using the filter option
4. Double-click the event to view detailed information
5. Review the Subject section to identify who deleted the account
6. Check the Target Account section for the deleted computer name
7. Note the Logon ID to correlate with other security events

Use PowerShell to query recent 4748 events:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4748} -MaxEvents 50 | Select-Object TimeCreated, Id, @{Name='ComputerDeleted';Expression={($_.Message -split '\n' | Where-Object {$_ -match 'Account Name:'} | Select-Object -First 1).Split(':')[1].Trim()}}

Cross-reference the deletion with logon events to build a complete timeline of administrative activity.

1. Note the Logon ID from the 4748 event details
2. Search for Event ID 4624 (successful logon) with matching Logon ID
3. Look for Event ID 4634 (logoff) to determine session duration
4. Check for other administrative events during the same logon session

PowerShell command to find related logon events:

$LogonID = "0x3e7"  # Replace with actual Logon ID from 4748 event
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4634} | Where-Object {$_.Message -match $LogonID} | Select-Object TimeCreated, Id, Message

This correlation helps determine if the deletion was part of a legitimate administrative session or potentially unauthorized activity.

Investigate the deleted computer account's history to understand its lifecycle and determine if the deletion was appropriate.

1. Search for Event ID 4741 (computer account created) for the same computer name
2. Look for Event ID 4742 (computer account changed) events
3. Check Event ID 4743 (computer account deleted) if it exists
4. Review authentication events (4768, 4769) for the computer account

PowerShell script to trace computer account lifecycle:

$ComputerName = "WORKSTATION01$"  # Replace with actual computer name
$Events = @(4741, 4742, 4748)  # Created, Changed, Deleted

foreach ($EventID in $Events) {
    Write-Host "Searching for Event ID $EventID..."
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=$EventID} | Where-Object {$_.Message -match $ComputerName} | Select-Object TimeCreated, Id, @{Name='Details';Expression={($_.Message -split '\n')[0..5] -join ' '}}
}

Set up proactive monitoring to detect and alert on computer account deletions in real-time.

1. Configure Windows Event Forwarding (WEF) to centralize 4748 events
2. Create custom event log subscriptions on collector servers
3. Set up PowerShell-based monitoring scripts
4. Configure SIEM integration for automated alerting

Create a scheduled task to monitor for 4748 events:

# Create monitoring script
$ScriptBlock = {
    $LastHour = (Get-Date).AddHours(-1)
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4748; StartTime=$LastHour} -ErrorAction SilentlyContinue
    
    if ($Events) {
        foreach ($Event in $Events) {
            $Message = "Computer account deleted: " + ($Event.Message -split '\n' | Where-Object {$_ -match 'Account Name:'} | Select-Object -First 1)
            Write-EventLog -LogName Application -Source "Custom Monitor" -EventId 1001 -Message $Message -EntryType Warning
        }
    }
}

# Register scheduled task
Register-ScheduledTask -TaskName "Monitor-ComputerDeletions" -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Hours 1)) -Action (New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-Command $ScriptBlock")

Perform comprehensive forensic analysis when unauthorized computer account deletions are suspected.

1. Export all related security events to EVTX files for preservation
2. Analyze network traffic logs for LDAP deletion requests
3. Review change management records for authorized deletions
4. Check backup systems for computer account restoration if needed
5. Document findings for incident response procedures

Export security events for forensic analysis:

# Export events to EVTX file
$StartTime = (Get-Date).AddDays(-7)
$EndTime = Get-Date
$ExportPath = "C:\Forensics\Security_Events_$(Get-Date -Format 'yyyyMMdd_HHmmss').evtx"

wevtutil epl Security $ExportPath "/q:*[System[TimeCreated[@SystemTime>='$($StartTime.ToString('yyyy-MM-ddTHH:mm:ss.fffZ'))' and @SystemTime<='$($EndTime.ToString('yyyy-MM-ddTHH:mm:ss.fffZ'))']]]" /ow:true

Write-Host "Security events exported to: $ExportPath"

Create detailed incident report:

# Generate incident report
$Report = @()
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4748; StartTime=(Get-Date).AddDays(-1)}

foreach ($Event in $Events) {
    $Report += [PSCustomObject]@{
        TimeCreated = $Event.TimeCreated
        ComputerDeleted = ($Event.Message -split '\n' | Where-Object {$_ -match 'Target.*Account Name:'} | Select-Object -First 1).Split(':')[1].Trim()
        DeletedBy = ($Event.Message -split '\n' | Where-Object {$_ -match 'Subject.*Account Name:'} | Select-Object -First 1).Split(':')[1].Trim()
        LogonID = ($Event.Message -split '\n' | Where-Object {$_ -match 'Logon ID:'} | Select-Object -First 1).Split(':')[1].Trim()
    }
}

$Report | Export-Csv -Path "C:\Reports\ComputerDeletions_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation