Windows Event ID 4760 – Microsoft-Windows-Security-Auditing: User Account Deleted

Start by examining the specific Event ID 4760 entry to understand the deletion context and identify the responsible party.

1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
2. Navigate to Windows Logs → Security
3. Filter the log by clicking Filter Current Log in the Actions pane
4. Enter 4760 in the Event IDs field and click OK
5. Double-click on the Event ID 4760 entry to view detailed information
6. Review the Subject section to identify who performed the deletion:
   • Security ID: SID of the account that deleted the user
   • Account Name: Username of the deleting account
   • Account Domain: Domain of the deleting account
   • Logon ID: Session identifier for correlation
7. Examine the Target Account section:
   • Security ID: SID of the deleted user account
   • Account Name: Username that was deleted
   • Account Domain: Domain where the account existed
8. Note the timestamp and correlate with any change management tickets or scheduled maintenance windows

Use PowerShell to search for Event ID 4760 across multiple systems and time ranges for comprehensive analysis.

1. Open PowerShell as Administrator
2. Query recent account deletion events on the local system:

   Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4760} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap

3. Search for specific user account deletions by filtering the message content:

   Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4760} | Where-Object {$_.Message -like "*username*"} | Select-Object TimeCreated, Message

4. Query multiple domain controllers for comprehensive coverage:

   $DCs = Get-ADDomainController -Filter *
   foreach ($DC in $DCs) {
       Write-Host "Checking $($DC.Name)..."
       Invoke-Command -ComputerName $DC.Name -ScriptBlock {
           Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4760; StartTime=(Get-Date).AddDays(-7)} -ErrorAction SilentlyContinue
       }
   }

5. Export results to CSV for analysis:

   Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4760; StartTime=(Get-Date).AddDays(-30)} | Select-Object TimeCreated, Id, LevelDisplayName, @{Name='DeletedUser';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Account Name:*'})[1] -replace '\s*Account Name:\s*',''}}, @{Name='DeletedBy';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Subject:*' -A 3})[1] -replace '\s*Account Name:\s*',''}} | Export-Csv -Path "C:\Temp\DeletedAccounts.csv" -NoTypeInformation

Cross-reference Event ID 4760 with Active Directory replication logs and change tracking to build a complete picture of account deletion activities.

1. Check Active Directory replication logs on domain controllers:

   Get-WinEvent -FilterHashtable @{LogName='Directory Service'; Id=1566,1567} -MaxEvents 100 | Where-Object {$_.TimeCreated -gt (Get-Date).AddHours(-24)}

2. Query the Active Directory Recycle Bin for recently deleted objects:

   Get-ADObject -Filter {Deleted -eq $true -and ObjectClass -eq "user"} -IncludeDeletedObjects -Properties whenChanged,whenCreated,DisplayName,DistinguishedName | Where-Object {$_.whenChanged -gt (Get-Date).AddDays(-7)} | Sort-Object whenChanged -Descending

3. Review Directory Services logs for additional context:
   1. Open Event Viewer and navigate to Applications and Services Logs → Directory Service
   2. Look for Event IDs 1566 (object deleted) and 1567 (object moved to deleted objects container)
   3. Correlate timestamps with Event ID 4760 entries
4. Check Group Policy logs for automated deletion policies:

   Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-GroupPolicy/Operational'; StartTime=(Get-Date).AddDays(-1)} | Where-Object {$_.Message -like "*user*" -and $_.Message -like "*delet*"}

5. Examine the Security log for related events:
   • Event ID 4726: User account was deleted (legacy event)
   • Event ID 4738: User account was changed
   • Event ID 4781: Account name was changed

Analyze Event ID 4760 patterns to identify potential security incidents, unauthorized deletions, or compromised administrator accounts.

1. Create a PowerShell script to analyze deletion patterns:

   # Analyze account deletion patterns
   $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4760; StartTime=(Get-Date).AddDays(-30)}
   $Analysis = $Events | ForEach-Object {
       $Message = $_.Message
       $SubjectAccount = ($Message -split '\n' | Where-Object {$_ -match 'Subject:' -A 4})[1] -replace '\s*Account Name:\s*',''
       $TargetAccount = ($Message -split '\n' | Where-Object {$_ -match 'Target Account:' -A 4})[1] -replace '\s*Account Name:\s*',''
       [PSCustomObject]@{
           TimeCreated = $_.TimeCreated
           DeletedBy = $SubjectAccount
           DeletedUser = $TargetAccount
           ComputerName = $_.MachineName
       }
   }
   $Analysis | Group-Object DeletedBy | Sort-Object Count -Descending

2. Check for after-hours deletions that might indicate unauthorized access:

   $SuspiciousHours = $Analysis | Where-Object {$_.TimeCreated.Hour -lt 6 -or $_.TimeCreated.Hour -gt 22}
   $SuspiciousHours | Format-Table TimeCreated, DeletedBy, DeletedUser, ComputerName

3. Identify bulk deletion operations:

   $BulkDeletions = $Analysis | Group-Object DeletedBy, @{Expression={$_.TimeCreated.ToString("yyyy-MM-dd HH:mm")}} | Where-Object {$_.Count -gt 5}
   $BulkDeletions | ForEach-Object {Write-Host "$($_.Name) deleted $($_.Count) accounts" -ForegroundColor Yellow}

4. Cross-reference with failed logon attempts (Event ID 4625):

   $FailedLogons = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=(Get-Date).AddDays(-1)}
   $SuspiciousAccounts = $Analysis.DeletedBy | Where-Object {$_ -in ($FailedLogons | ForEach-Object {($_.Message -split '\n' | Where-Object {$_ -like '*Account Name:*'})[0] -replace '\s*Account Name:\s*',''})}

5. Generate a security report:

   $Report = @"
   Account Deletion Security Report - $(Get-Date)
   ================================================
   Total Deletions: $($Analysis.Count)
   Unique Administrators: $($Analysis.DeletedBy | Sort-Object -Unique | Measure-Object).Count
   After-Hours Deletions: $($SuspiciousHours.Count)
   Bulk Deletion Events: $($BulkDeletions.Count)
   
   Top Account Deleters:
   $($Analysis | Group-Object DeletedBy | Sort-Object Count -Descending | Select-Object -First 5 | Format-Table Name, Count | Out-String)
   "@
   $Report | Out-File -FilePath "C:\Temp\AccountDeletionReport.txt"

Set up proactive monitoring for Event ID 4760 to detect unauthorized account deletions in real-time and establish proper audit trails.

1. Configure Windows Event Forwarding to centralize Event ID 4760 collection:
   1. On the collector server, run:

      wecutil qc

   2. Create a custom subscription XML file:

      <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
          <SubscriptionId>AccountDeletions</SubscriptionId>
          <SubscriptionType>SourceInitiated</SubscriptionType>
          <Description>Account Deletion Events</Description>
          <Enabled>true</Enabled>
          <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
          <ConfigurationMode>Normal</ConfigurationMode>
          <Query><![CDATA[
              <QueryList>
                  <Query Id="0">
                      <Select Path="Security">*[System[EventID=4760]]</Select>
                  </Query>
              </QueryList>
          ]]></Query>
      </Subscription>

   3. Import the subscription:

      wecutil cs AccountDeletions.xml

2. Create a PowerShell scheduled task for real-time alerting:

   $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\MonitorAccountDeletions.ps1"
   $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 5) -RepetitionDuration (New-TimeSpan -Days 365)
   $Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount
   $Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable
   Register-ScheduledTask -TaskName "MonitorAccountDeletions" -Action $Action -Trigger $Trigger -Principal $Principal -Settings $Settings

3. Configure audit policy for comprehensive logging:

   auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
   auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable

4. Set up Event Log size and retention policies:

   wevtutil sl Security /ms:1073741824  # Set Security log to 1GB
   wevtutil sl Security /rt:false        # Disable log overwrite

5. Create a monitoring script (C:\Scripts\MonitorAccountDeletions.ps1):

   # Monitor for new Event ID 4760 entries
   $LastCheck = Get-Content "C:\Scripts\LastCheck.txt" -ErrorAction SilentlyContinue
   if (-not $LastCheck) { $LastCheck = (Get-Date).AddMinutes(-5) }
   else { $LastCheck = [DateTime]$LastCheck }
   
   $NewEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4760; StartTime=$LastCheck} -ErrorAction SilentlyContinue
   
   if ($NewEvents) {
       $AlertMessage = "ALERT: $($NewEvents.Count) user account(s) deleted since $LastCheck"
       Write-EventLog -LogName Application -Source "AccountMonitor" -EventId 1001 -EntryType Warning -Message $AlertMessage
       # Add email notification or SIEM integration here
   }
   
   Get-Date | Out-File "C:\Scripts\LastCheck.txt"