Event ID 4661 — A handle to an object was requested.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → SAM
Collection Priority: Recommended (Yamato Security, others)
Opcode: Info

Description

A handle to an object was requested.

Message #

A handle to an object was requested.

Subject :
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Object:
	Object Server: %5
	Object Type: %6
	Object Name: %7
	Handle ID: %8

Process Information:
	Process ID: %15
	Process Name: %16

Access Request Information:
	Transaction ID: %9
	Accesses: %10
	Access Mask: %11
	Privileges Used for Access Check: %12
	Properties: %13
	Restricted SID Count: %14

Fields #

Name	Description
`Security_ID`	[Subject] Security ID.
`Account_Name`	[Subject] Account Name.
`Account_Domain`	[Subject] Account Domain.
`Logon_ID`	[Subject] Logon ID.
`Object_Server`	[Object] Object Server.
`Object_Type`	[Object] Object Type.
`Object_Name`	[Object] Object Name.
`Handle_ID`	[Object] Handle ID.
`Transaction_ID`	[Access Request Information] Transaction ID.
`Accesses`	[Access Request Information] Accesses.
`Access_Mask`	[Access Request Information] Access Reasons. Bitmask flags `0x00000001` ReadPasswordParameters `0x00000002` WritePasswordParameters `0x00000004` ReadOtherParameters `0x00000008` WriteOtherParameters `0x00000010` CreateUser `0x00000020` CreateGlobalGroup `0x00000040` CreateLocalGroup `0x00000080` GetLocalGroupMembership `0x00000100` ListAccounts `0x00000200` LookupIDs `0x00000400` AdministerServer `0x00010000` DELETE `0x00020000` READ_CONTROL `0x00040000` WRITE_DAC `0x00080000` WRITE_OWNER
`PrivilegesUsedForAccessCheck`	— Privilege constants reference
`Properties` UnicodeString	[Access Request Information] Privileges Used for Access Check.
`Restricted_SID_Count`	[Access Request Information] Properties.
`Process_ID`	[Access Request Information] Restricted SID Count.
`Process_Name`	[Process Information] Process ID.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 4661,
    "version": 0,
    "level": 0,
    "task": 12803,
    "opcode": 0,
    "keywords": 9232379236109516800,
    "time_created": "2019-03-18T23:23:52.522462Z",
    "event_record_id": 565602,
    "correlation": {},
    "execution": {
      "process_id": 452,
      "thread_id": 460
    },
    "channel": "Security",
    "computer": "WIN-77LTAPHIQ1R.example.corp",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "SubjectUserSid": "S-1-5-21-1587066498-1489273250-1035260531-1106",
    "SubjectUserName": "user01",
    "SubjectDomainName": "EXAMPLE",
    "SubjectLogonId": "0x15e1a7",
    "ObjectServer": "Security Account Manager",
    "ObjectType": "SAM_DOMAIN",
    "ObjectName": "DC=example,DC=corp",
    "HandleId": "0x14c7b1f20",
    "TransactionId": "00000000-0000-0000-0000-000000000000",
    "AccessList": "%%1538\r\n\t\t\t\t%%5394\r\n\t\t\t\t%%5396\r\n\t\t\t\t%%5399\r\n\t\t\t\t",
    "AccessMask": "0x2d",
    "PrivilegeList": "\u0002-",
    "Properties": "---\r\n\t{19195a5a-6da0-11d0-afd3-00c04fd930c9}\r\n%%1538\r\n%%5394\r\n%%5396\r\n%%5399\r\n\t\t{c7407360-20bf-11d0-a768-00aa006e0529}\r\n\t\t\t{bf9679a4-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679a5-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679a6-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679bb-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679c2-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679c3-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a09-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a0b-0de6-11d0-a285-00aa003049e2}\r\n\t\t{b8119fd0-04f6-4762-ab7a-4986c76b3f9a}\r\n\t\t\t{bf967a34-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a33-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679c5-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967a61-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf967977-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf96795e-0de6-11d0-a285-00aa003049e2}\r\n\t\t\t{bf9679ea-0de6-11d0-a285-00aa003049e2}\r\n\t\t{ab721a52-1e2f-11d0-9819-00aa0040529b}\r\n",
    "RestrictedSidCount": 0,
    "ProcessId": "0x1c4",
    "ProcessName": "C:\\Windows\\System32\\lsass.exe"
  }
}

Community Notes #

May indicate BloodHound-style LDAP reads.

This event covers SAM object handle requests. The default bitmask shown uses SAM_DOMAIN rights (the most commonly audited SAM object type). Bits 0x01–0x0400 vary by SAM object subtype:

Bit	SAM_SERVER	SAM_DOMAIN	SAM_GROUP	SAM_ALIAS	SAM_USER
0x01	ConnectToServer	ReadPasswordParameters	ReadInformation	AddMember	ReadGeneralInformation
0x02	ShutdownServer	WritePasswordParameters	WriteAccount	RemoveMember	ReadPreferences
0x04	InitializeServer	ReadOtherParameters	AddMember	ListMembers	WritePreferences
0x08	CreateDomain	WriteOtherParameters	RemoveMember	ReadInformation	ReadLogon
0x10	EnumerateDomains	CreateUser	ListMembers	WriteAccount	ReadAccount
0x20	LookupDomain	CreateGlobalGroup	—	—	WriteAccount

Standard rights are shared: DELETE (0x10000), READ_CONTROL (0x20000), WRITE_DAC (0x40000), WRITE_OWNER (0x80000).

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

AD Privileged Users or Groups Reconnaissance source high: Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
Password Policy Enumerated source medium: Detects when the password policy is enumerated.
Reconnaissance Activity source high: Detects activity as "net user administrator /domain" and "net group domain admins /domain"

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4661
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-sam
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4661
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx