EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4722Audit SuccessSecurityT1078

Windows Event ID 4722User Account Enabled

Logged when a disabled user account is re-enabled.

MITRE ATT&CK

Technique

T1078 · Valid Accounts

Tactic

Persistence

View on attack.mitre.org →

Why It Matters

Re-enabling old or disabled accounts is a common attacker technique — these accounts may still have valid credentials and group memberships from when they were active, providing ready-made access without creating a detectable new account.

Key Fields

Target Account NameThe account that was re-enabled
Subject Account NameWho re-enabled it

Investigation Tips

  1. 1.Check if the re-enabled account was disabled as part of an offboarding process.
  2. 2.Look for subsequent logons (4624) from the re-enabled account.
  3. 3.Correlate with change management tickets — was this re-enablement authorized?

Related Event IDs

4725Account disabled
4624Logon with the re-enabled account
4728Added to privileged group after re-enabling

See Event ID 4722 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects user account enabled patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →