detection.wiki

Microsoft-Windows-Security-Auditing › Event 4656

Event ID 4656 — A handle to an object was requested.

Provider
Microsoft-Windows-Security-Auditing
Channel
Security
Audit Policy
Object Access → File System
Collection Priority
Recommended (Palantir, others)
Opcode
Info

Description

A handle to an object was requested.

Message #

A handle to an object was requested.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Object:
	Object Server: %5
	Object Type: %6
	Object Name: %7
	Handle ID: %8

Process Information:
	Process ID: %14
	Process Name: %15

Access Request Information:
	Transaction ID: %9
	Accesses: %10
	Access Mask: %11
	Privileges Used for Access Check: %12
	Restricted SID Count: %13

Fields #

NameDescription
Security_ID[Subject] Security ID.
Account_Name[Subject] Account Name.
Account_Domain[Subject] Account Domain.
Logon_ID[Subject] Logon ID.
Object_Server[Object] Object Server.
Object_Type[Object] Object Type.
Object_Name[Object] Object Name.
Handle_ID[Object] Handle ID.
Transaction_ID[Access Request Information] Transaction ID.
Accesses[Access Request Information] Accesses.
Access_Mask[Access Request Information] Access Reasons. Access mask reference
PrivilegesUsedForAccessCheckPrivilege constants reference
Restricted_SID_Count[Access Request Information] Privileges Used for Access Check.
Process_ID[Access Request Information] Restricted SID Count.
Process_Name[Process Information] Process ID.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4656,
    "version": 1,
    "level": 0,
    "task": 12802,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2020-03-08T22:11:34.340479Z",
    "event_record_id": 314461,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 160
    },
    "channel": "Security",
    "computer": "MSEDGEWIN10",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-21-3461203602-4096304019-2269080069-1000",
    "SubjectUserName": "IEUser",
    "SubjectDomainName": "MSEDGEWIN10",
    "SubjectLogonId": "0x33392",
    "ObjectServer": "Security",
    "ObjectType": "Process",
    "ObjectName": "\\Device\\HarddiskVolume1\\Windows\\System32\\lsass.exe",
    "HandleId": "0x558",
    "TransactionId": "00000000-0000-0000-0000-000000000000",
    "AccessList": "%%1537\r\n\t\t\t\t%%1538\r\n\t\t\t\t%%1539\r\n\t\t\t\t%%1540\r\n\t\t\t\t%%1541\r\n\t\t\t\t%%4480\r\n\t\t\t\t%%4481\r\n\t\t\t\t%%4482\r\n\t\t\t\t%%4483\r\n\t\t\t\t%%4484\r\n\t\t\t\t%%4485\r\n\t\t\t\t%%4486\r\n\t\t\t\t%%4487\r\n\t\t\t\t%%4488\r\n\t\t\t\t%%4489\r\n\t\t\t\t%%4490\r\n\t\t\t\t%%4491\r\n\t\t\t\t%%4492\r\n\t\t\t\t%%4493\r\n\t\t\t\t",
    "AccessReason": "-",
    "AccessMask": "0x1f3fff",
    "PrivilegeList": "-",
    "RestrictedSidCount": 0,
    "ProcessId": "0x1688",
    "ProcessName": "C:\\Windows\\System32\\cscript.exe",
    "ResourceAttributes": "-"
  }
}

Detection Patterns #

Registry Keys Access

Security-Auditing Event ID 4656: A handle to an object was requested.OREvent ID 4663: An attempt was made to access an object.
10 rules

Sigma

Windows Defender Exclusion Registry Key - Write Access Requested (source)
@BarryShooshooga, Nasreddine Bencherchali (Nextron Systems)
LSASS Access From Non System Account (source)
Roberto Rodriguez @Cyb3rWard0g
WCE wceaux.dll Access (source)
Thomas Patzke
Show 4 more (7 total)
Potentially Suspicious AccessMask Requested From LSASS (source)
Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)
Azure AD Health Monitoring Agent Registry Keys Access (source)
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
Azure AD Health Service Agents Registry Keys Access (source)
Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
SysKey Registry Keys Access (source)
Roberto Rodriguez @Cyb3rWard0g

Kusto Query Language

Microsoft Entra ID Local Device Join Information and Transport Key Registry Keys Access (source)
Microsoft Entra ID Health Monitoring Agent Registry Keys Access (source)
Microsoft Security Research
Microsoft Entra ID Health Service Agents Registry Keys Access (source)
Microsoft Security Research

Community Notes #

Combined with 4663, may reveal bulk reads of sensitive shares before data exfil.

The AccessMask shown assumes File access rights (the most common context). The actual meaning of bits 0x01–0x80 depends on the ObjectType GUID at runtime. Common alternatives:

BitFileRegistryProcessService
0x01ReadData / ListDirectoryKEY_QUERY_VALUEPROCESS_TERMINATESERVICE_QUERY_CONFIG
0x02WriteData / AddFileKEY_SET_VALUEPROCESS_CREATE_THREADSERVICE_CHANGE_CONFIG
0x04AppendData / AddSubDirKEY_CREATE_SUB_KEYPROCESS_SET_SESSIONIDSERVICE_QUERY_STATUS
0x08ReadEAKEY_ENUMERATE_SUB_KEYSPROCESS_VM_OPERATIONSERVICE_ENUMERATE_DEPENDENTS
0x10WriteEAKEY_NOTIFYPROCESS_VM_READSERVICE_START
0x20Execute / TraverseKEY_CREATE_LINKPROCESS_VM_WRITESERVICE_STOP

Standard rights are shared across all types: DELETE (0x10000), READ_CONTROL (0x20000), WRITE_DAC (0x40000), WRITE_OWNER (0x80000).

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Elastic # view in reference

  • LSASS Memory Dump Handle Access source medium: Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.

References #