Event ID 4670 — Permissions on an object were changed.
Description
Permissions on an object were changed.
Message #
Fields #
| Name | Description |
|---|---|
SubjectUserSid SID | [Subject] Security ID. |
SubjectUserName UnicodeString | [Subject] Account Name. |
SubjectDomainName UnicodeString | [Subject] Account Domain. |
SubjectLogonId HexInt64 | [Subject] Logon ID. |
ObjectServer UnicodeString | [Object] Object Server. |
ObjectType UnicodeString | [Object] Object Type. |
ObjectName UnicodeString | [Object] Object Name. |
HandleId Pointer | [Object] Handle ID. |
OldSd UnicodeString | [Permissions Change] Original Security Descriptor. |
NewSd UnicodeString | [Permissions Change] New Security Descriptor. |
ProcessId Pointer | [Process] Process ID. |
ProcessName UnicodeString | [Process] Process Name. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Auditing",
"guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
"event_source_name": "",
"event_id": 4670,
"version": 0,
"level": 0,
"task": 13570,
"opcode": 0,
"keywords": 9232379236109516800,
"time_created": "2023-11-06T02:03:41.603666+00:00",
"event_record_id": 314599,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 21268
},
"channel": "Security",
"computer": "WinDev2310Eval",
"security": {
"user_id": ""
}
},
"event_data": {
"SubjectUserSid": "S-1-5-18",
"SubjectUserName": "WINDEV2310EVAL$",
"SubjectDomainName": "WORKGROUP",
"SubjectLogonId": "0x3e7",
"ObjectServer": "Security",
"ObjectType": "Token",
"ObjectName": "-",
"HandleId": "0xddc",
"OldSd": "D:(A;;GA;;;SY)(A;;GA;;;NS)",
"NewSd": "D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)",
"ProcessId": "0x30c",
"ProcessName": "C:\\Windows\\System32\\services.exe"
},
"message": ""
}
Detection Patterns #
Security-Auditing Event ID 4670: Permissions on an object were changed.ANDEvent ID 4727: A security-enabled global group was created.ANDEvent ID 4731: A security-enabled local group was created.ANDEvent ID 4734: A security-enabled local group was deleted.ANDEvent ID 4735: A security-enabled local group was changed.ANDEvent ID 4764: A group’s type was changed.
Defense Evasion: Impair Defenses
Security-Auditing Event ID 4670: Permissions on an object were changed.OREvent ID 4688: A new process has been created.
1 rule
Kusto Query Language
Community Notes #
Permissions on an object were changed, may detect ACL edits on files, registry, or tokens that grant elevated rights.
Binary Defense post Windows Defender ACL Blocking: A Silent Technique With Serious Impact — attackers can modify DACLs on the Windows Defender directory to block the antimalware service from reading its own binaries, silently disabling protection without triggering tamper alerts. Look for ACL changes targeting Defender paths (e.g. C:\ProgramData\Microsoft\Windows Defender\) paired with 4663 WRITE_DAC access.
References #
- Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4670
- Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-authentication-policy-change
- Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4670
- Example event sourced from https://github.com/NextronSystems/evtx-baseline