Event ID 4663 — An attempt was made to access an object.
Description
An attempt was made to access an object.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
ObjectServer UnicodeString | [Object] Object Server. |
ObjectType UnicodeString | [Object] Object Type. |
ObjectName UnicodeString | [Object] Object Name. |
HandleId Pointer | [Object] Handle ID. |
AccessList UnicodeString | [Access Request Information] Accesses. |
AccessMask HexInt32 | [Access Request Information] Access Mask. Access mask reference |
ProcessId Pointer | [Process Information] Process ID. |
ProcessName UnicodeString | [Process Information] Process Name. |
ResourceAttributes UnicodeString | [Object] Resource Attributes. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4663,
"version": 1,
"level": 0,
"task": 12802,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T01:55:26.055947+00:00",
"event_record_id": 304894,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 15220
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"ObjectServer": "Security",
"ObjectType": "Process",
"ObjectName": "\\Device\\HarddiskVolume4\\Windows\\System32\\lsass.exe",
"HandleId": "0x1978",
"AccessList": "%%4484\r\n\t\t\t\t",
"AccessMask": "0x10",
"ProcessId": "0x4a28",
"ProcessName": "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe",
"ResourceAttributes": "-"
},
"message": ""
}
Detection Patterns #
Registry Keys Access
Security-Auditing Event ID 4656: A handle to an object was requested.OREvent ID 4663: An attempt was made to access an object.
10 rules
Sigma
Uac Bypass
Defender-DeviceRegistryEvents Event ID 9005000: Registry activity→Event ID 9005002: Registry key deleted→Event ID 9005003: Registry value set→Event ID 9005004: Registry value deleted→Security-Auditing Event ID 4657: A registry value was modified.→Event ID 4660: An object was deleted.→Event ID 4663: An attempt was made to access an object.→Sysmon Event ID 12: RegistryEvent→Event ID 13: RegistryEvent→Event ID 14: RegistryEvent
5 rules
Kusto Query Language
Sunburst And Supernova Backdoor
Sunburst And Supernova Backdoor
Sunburst And Supernova Backdoor
Security-Auditing Event ID 4663: An attempt was made to access an object.OREvent ID 4688: A new process has been created.
2 rules
Defender-DeviceFileEvents Event ID 9002001: File createdORSecurity-Auditing Event ID 4663: An attempt was made to access an object.ORSysmon Event ID 11: FileCreate
2 rules
Kusto Query Language
Security-Auditing Event ID 4656: A handle to an object was requested.OREvent ID 4658: The handle to an object was closed.OREvent ID 4663: An attempt was made to access an object.
1 rule
Execution: User Execution
Defender-DeviceFileEvents Event ID 9002000: File activity→Security-Auditing Event ID 4663: An attempt was made to access an object.→Sysmon Event ID 11: FileCreate
1 rule
Kusto Query Language
Defense Evasion: Modify Registry
Security-Auditing Event ID 4657: A registry value was modified.OREvent ID 4663: An attempt was made to access an object.
1 rule
Lateral Movement: Lateral Tool Transfer
Defender-DeviceFileEvents Event ID 9002000: File activityANDSecurity-Auditing Event ID 4663: An attempt was made to access an object.ANDSysmon Event ID 11: FileCreate
1 rule
Kusto Query Language
Community Notes #
An attempt was made to access an object. May catch mass permission changes or tampering. Also catches renaming, and may be noisy (pair with 4660).
The AccessMask shown assumes File access rights (the most common context). The actual meaning of bits 0x01–0x80 depends on the ObjectType at runtime. Common alternatives:
| Bit | File | Registry | Process | Service |
|---|---|---|---|---|
| 0x01 | ReadData / ListDirectory | KEY_QUERY_VALUE | PROCESS_TERMINATE | SERVICE_QUERY_CONFIG |
| 0x02 | WriteData / AddFile | KEY_SET_VALUE | PROCESS_CREATE_THREAD | SERVICE_CHANGE_CONFIG |
| 0x04 | AppendData / AddSubDir | KEY_CREATE_SUB_KEY | PROCESS_SET_SESSIONID | SERVICE_QUERY_STATUS |
| 0x08 | ReadEA | KEY_ENUMERATE_SUB_KEYS | PROCESS_VM_OPERATION | SERVICE_ENUMERATE_DEPENDENTS |
| 0x10 | WriteEA | KEY_NOTIFY | PROCESS_VM_READ | SERVICE_START |
| 0x20 | Execute / Traverse | KEY_CREATE_LINK | PROCESS_VM_WRITE | SERVICE_STOP |
Standard rights are shared across all types: DELETE (0x10000), READ_CONTROL (0x20000), WRITE_DAC (0x40000), WRITE_OWNER (0x80000).
Binary Defense post Windows Defender ACL Blocking: A Silent Technique With Serious Impact — attackers can modify DACLs on the Windows Defender directory to block the antimalware service from reading its own binaries, silently disabling protection without triggering tamper alerts. Look for WRITE_DAC (0x40000) access to Defender paths paired with 4670 ACL changes.
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- ISO Image Mounted source medium: Detects the mount of an ISO image on an endpoint
- Service Registry Key Read Access Request source low: Detects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
- File Access Of Signal Desktop Sensitive Data source medium: Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json. The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data. Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials. Currently the rule only covers the default Signal installation path in AppData\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed.
Show 1 more (4 total)
- Suspicious Teams Application Related ObjectAcess Event source high: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
Splunk # view in reference
- ConnectWise ScreenConnect Path Traversal Windows SACL source: The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability using Windows SACL EventCode 4663. It identifies path traversal attacks by monitoring file system events related to the ScreenConnect service. This activity is significant as it allows unauthorized access to sensitive files and directories, potentially leading to data exfiltration or arbitrary code execution. If confirmed malicious, attackers could gain unauthorized access to critical data or execute harmful code, compromising the integrity and security of the affected system. Immediate remediation by updating to version 23.9.8 or above is recommended.
- Non Chrome Process Accessing Chrome Default Dir source: The following analytic detects a non-Chrome process accessing files in the Chrome user default folder. It leverages Windows Security Event logs, specifically event code 4663, to identify unauthorized access attempts. This activity is significant because the Chrome default folder contains sensitive user data such as login credentials, browsing history, and cookies. If confirmed malicious, this behavior could indicate an attempt to exfiltrate sensitive information, often associated with RATs, trojans, and advanced persistent threats like FIN7. Such access could lead to data theft and further compromise of the affected system.
- Non Firefox Process Access Firefox Profile Dir source: The following analytic detects non-Firefox processes accessing the Firefox profile directory, which contains sensitive user data such as login credentials, browsing history, and cookies. It leverages Windows Security Event logs, specifically event code 4663, to monitor access attempts. This activity is significant because it may indicate attempts by malware, such as RATs or trojans, to harvest user information. If confirmed malicious, this behavior could lead to data exfiltration, unauthorized access to user accounts, and further compromise of the affected system.
Show 14 more (17 total)
- SAM Database File Access Attempt source: The following analytic detects attempts to access the SAM, SYSTEM, or SECURITY database files within the `windows\system32\config` directory using Windows Security EventCode 4663. This detection leverages Windows Security Event logs to identify unauthorized access attempts. Monitoring this activity is crucial as it indicates potential credential access attempts, possibly exploiting vulnerabilities like CVE-2021-36934. If confirmed malicious, an attacker could extract user passwords, leading to unauthorized access, privilege escalation, and further compromise of the system.
- Windows Credential Access From Browser Password Store source: The following analytic identifies a possible non-common browser process accessing its browser user data profile. This tactic/technique has been observed in various Trojan Stealers, such as SnakeKeylogger, which attempt to gather sensitive browser information and credentials as part of their exfiltration strategy. Detecting this anomaly can serve as a valuable pivot for identifying processes that access lists of browser user data profiles unexpectedly. This detection uses a lookup file `browser_app_list` that maintains a list of well known browser applications and the browser paths that are allowed to access the browser user data profiles.
- Windows Credentials from Password Stores Chrome Extension Access source: The following analytic detects non-Chrome processes attempting to access the Chrome extensions file. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because adversaries may exploit this file to extract sensitive information from the Chrome browser, posing a security risk. If confirmed malicious, this could lead to unauthorized access to stored credentials and other sensitive data, potentially compromising the security of the affected system and broader network.
- Windows Credentials from Password Stores Chrome LocalState Access source: The following analytic detects non-Chrome processes accessing the Chrome "Local State" file, which contains critical settings and information. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because threat actors can exploit this file to extract the encrypted master key used for decrypting saved passwords in Chrome. If confirmed malicious, this could lead to unauthorized access to sensitive information, posing a severe security risk. Monitoring this anomaly helps identify potential threats and safeguard browser-stored data.
- Windows Credentials from Password Stores Chrome Login Data Access source: The following analytic identifies non-Chrome processes accessing the Chrome user data file "login data." This file is an SQLite database containing sensitive information, including saved passwords. The detection leverages Windows Security Event logs, specifically event code 4663, to monitor access attempts. This activity is significant as it may indicate attempts by threat actors to extract and decrypt stored passwords, posing a risk to user credentials. If confirmed malicious, attackers could gain unauthorized access to sensitive accounts and escalate their privileges within the environment.
- Windows Hosts File Access source: This Analytic detects the execution of a process attempting to access the hosts file. The hosts file is a critical file for network configuration and DNS resolution. If an attacker gains access to it, they can redirect traffic to malicious websites, serve fake content or block legitimate security websites.
- Windows Increase in Group or Object Modification Activity source: This analytic detects an increase in modifications to AD groups or objects. Frequent changes to AD groups or objects can indicate potential security risks, such as unauthorized access attempts, impairing defences or establishing persistence. By monitoring AD logs for unusual modification patterns, this detection helps identify suspicious behavior that could compromise the integrity and security of the AD environment.↳ also matches:Event ID 4670: Permissions on an object were changed., Event ID 4727: A security-enabled global group was created., Event ID 4731: A security-enabled local group was created., Event ID 4734: A security-enabled local group was deleted., Event ID 4735: A security-enabled local group was changed., Event ID 4764: A group’s type was changed.
- Windows Non Discord App Access Discord LevelDB source: The following analytic detects non-Discord applications accessing the Discord LevelDB database. It leverages Windows Security Event logs, specifically event code 4663, to identify file access attempts to the LevelDB directory by processes other than Discord. This activity is significant as it may indicate attempts to steal Discord credentials or access sensitive user data. If confirmed malicious, this could lead to unauthorized access to user profiles, messages, and other critical information, potentially compromising the security and privacy of the affected users.
- Windows Product Key Registry Query source: This Analytic detects the execution of a process attempting to access the registry for product key recovery purposes. This behavior could be significant as it might indicate potential malware activity or attempts to bypass security measures or data exfiltration.
- Windows Query Registry Browser List Application source: The following analytic detects a suspicious process accessing the registry entries for default internet browsers. It leverages Windows Security Event logs, specifically event code 4663, to identify access attempts to these registry paths. This activity is significant because adversaries can exploit this registry key to gather information about installed browsers and their settings, potentially leading to the theft of sensitive data such as login credentials and browsing history. If confirmed malicious, this behavior could enable attackers to exfiltrate sensitive information and compromise user accounts.
- Windows Query Registry UnInstall Program List source: The following analytic detects an access request on the uninstall registry key. It leverages Windows Security Event logs, specifically event code 4663. This activity is significant because adversaries or malware can exploit this key to gather information about installed applications, aiding in further attacks. If confirmed malicious, this behavior could allow attackers to map out installed software, potentially identifying vulnerabilities or software to exploit, leading to further system compromise.
- Windows Unsecured Outlook Credentials Access In Registry source: The following analytic detects unauthorized access to Outlook credentials stored in the Windows registry. It leverages Windows Security Event logs, specifically EventCode 4663, to identify access attempts to registry paths associated with Outlook profiles. This activity is significant as it may indicate attempts to steal sensitive email credentials, which could lead to unauthorized access to email accounts. If confirmed malicious, this could allow attackers to exfiltrate sensitive information, impersonate users, or execute further unauthorized actions within Outlook, posing a significant security risk.
- Windows Unusual FileZilla XML Config Access source: The following analytic identifies processes accessing FileZilla XML config files such as recentservers.xml and sitemanager.xml. It leverages Windows Security Event logs, specifically monitoring EventCode 4663, which tracks object access events. This activity is significant because it can indicate unauthorized access or manipulation of sensitive configuration files used by FileZilla, a popular FTP client. If confirmed malicious, this could lead to data exfiltration, credential theft, or further compromise of the system.
- Windows Unusual Intelliform Storage Registry Access source: The following analytic identifies processes accessing Intelliform Storage Registry keys used by Internet Explorer. It leverages Windows Security Event logs, specifically monitoring EventCode 4663, which tracks object access events. This activity is significant because it can indicate unauthorized access or manipulation of sensitive registry keys used for storing form data in Internet Explorer. If confirmed malicious, this could lead to data exfiltration, credential theft, or further compromise of the system.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4663
- Example event sourced from https://github.com/NextronSystems/evtx-baseline