User account deleted via Net command

About the rule

Rule Type

Standard

Rule Description

Detects deletion of a user account using the net command.

Why this rule?

User account deletion via net.exe command represents either legitimate de-provisioning activities or malicious actions by attackers seeking to cover their tracks, eliminate evidence of compromised accounts, disrupt operations by removing critical service or administrative accounts, or execute destructive attacks as part of ransomware or wiper malware campaigns where account deletion maximizes recovery difficulty and operational impact.

Severity

Trouble

Rule journey

Attack chain scenario

Impact → Net Command Execution → User Account Deletion → Access Removal → Service Disruption.

Impact

Unauthorized account deletion can disrupt operations, remove legitimate user access, and cover attacker tracks by eliminating evidence.

Rule Requirement

Prerequisites

Enable process creation monitoring (Event ID 1 or 4688).

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Impact: Account Access Removal (T1531)

Future actions

Known False Positives

Normal user de-provisioning activities, automated account lifecycle management scripts, or IT support operations removing stale accounts.

Next Steps

1. Identification: Identify the deleted user account and the user who performed the deletion.
2. Analysis: Determine if the account deletion was authorized or part of legitimate de-provisioning.
3. Response: Restore accidentally deleted accounts if necessary, investigate potential malicious activity or impact operations.