Access Mask Reference
The AccessMask field in Microsoft-Windows-Security-Auditing events 4656, 4663, 4657, 4661, and 4662 is a hexadecimal bitmask indicating the type of access requested or granted to an object. The meaning of the object-specific bits varies by object type: the same bit value represents different rights for files, registry keys, AD objects, and SAM objects.
Standard and Generic Rights#
These rights apply to all object types.
| Bit | Right | Description |
|---|---|---|
| 0x00010000 | DELETE | Delete the object |
| 0x00020000 | READ_CONTROL | Read the security descriptor (DACL) |
| 0x00040000 | WRITE_DAC | Modify the DACL: change who can access the object |
| 0x00080000 | WRITE_OWNER | Change the object owner |
| 0x00100000 | SYNCHRONIZE | Use the object for synchronization |
| 0x10000000 | GENERIC_ALL | Full control |
| 0x20000000 | GENERIC_EXECUTE | Execute access |
| 0x40000000 | GENERIC_WRITE | Write access |
| 0x80000000 | GENERIC_READ | Read access |
File and Directory Access Rights#
Microsoft-Windows-Security-Auditing Event 4656 and Event 4663: object access auditing for files and directories.
| Bit | Right | Description |
|---|---|---|
| 0x00000001 | FILE_READ_DATA / FILE_LIST_DIRECTORY | Read file contents or list directory |
| 0x00000002 | FILE_WRITE_DATA / FILE_ADD_FILE | Write to file or add a file to directory |
| 0x00000004 | FILE_APPEND_DATA / FILE_ADD_SUBDIRECTORY | Append data to file or create subdirectory |
| 0x00000008 | FILE_READ_EA | Read extended attributes |
| 0x00000010 | FILE_WRITE_EA | Write extended attributes |
| 0x00000020 | FILE_EXECUTE / FILE_TRAVERSE | Execute file or traverse directory |
| 0x00000040 | FILE_DELETE_CHILD | Delete a file or directory within a directory |
| 0x00000080 | FILE_READ_ATTRIBUTES | Read file attributes |
| 0x00000100 | FILE_WRITE_ATTRIBUTES | Write file attributes |
| 0x00010000 | DELETE | Delete the file or directory |
| 0x00020000 | READ_CONTROL | Read the security descriptor |
Registry Key Access Rights#
Microsoft-Windows-Security-Auditing Event 4657: registry value modification.
| Bit | Right | Description |
|---|---|---|
| 0x00000001 | KEY_QUERY_VALUE | Query registry key values |
| 0x00000002 | KEY_SET_VALUE | Set registry key values |
| 0x00000004 | KEY_CREATE_SUB_KEY | Create subkeys |
| 0x00000008 | KEY_ENUMERATE_SUB_KEYS | Enumerate subkeys |
| 0x00000010 | KEY_NOTIFY | Request change notifications |
| 0x00000020 | KEY_CREATE_LINK | Create symbolic links |
| 0x00000100 | KEY_WOW64_32KEY | Access 32-bit registry view |
| 0x00000200 | KEY_WOW64_64KEY | Access 64-bit registry view |
Active Directory Object Rights#
Microsoft-Windows-Security-Auditing Event 4662: an operation was performed on an Active Directory object.
| Bit | Right | Description |
|---|---|---|
| 0x00000001 | DS_CREATE_CHILD | Create child objects |
| 0x00000002 | DS_DELETE_CHILD | Delete child objects |
| 0x00000004 | DS_LIST_CONTENTS | List contents of the container |
| 0x00000008 | DS_WRITE_SELF | Write self (validated writes) |
| 0x00000010 | DS_READ_PROP | Read all properties |
| 0x00000020 | DS_WRITE_PROP | Write all properties |
| 0x00000040 | DS_DELETE_TREE | Delete the entire subtree |
| 0x00000080 | DS_LIST_OBJECT | List the object (visibility control) |
| 0x00000100 | DS_CONTROL_ACCESS | Extended rights (e.g. Replicating Directory Changes for DCSync) |
SAM Object Rights#
Microsoft-Windows-Security-Auditing Event 4661: a handle to a SAM object was requested.
| Bit | Right | Description |
|---|---|---|
| 0x00000001 | ReadPasswordParameters | Read password policy parameters |
| 0x00000002 | WritePasswordParameters | Write password policy parameters |
| 0x00000004 | ReadOtherParameters | Read other domain parameters |
| 0x00000008 | WriteOtherParameters | Write other domain parameters |
| 0x00000010 | CreateUser | Create user accounts |
| 0x00000020 | CreateGlobalGroup | Create global groups |
| 0x00000040 | CreateLocalGroup | Create local groups |
| 0x00000080 | GetLocalGroupMembership | Enumerate local group membership |
| 0x00000100 | ListAccounts | List all accounts in the domain |
| 0x00000200 | LookupIDs | Resolve names to SIDs |
| 0x00000400 | AdministerServer | Full administrative access to the SAM |
Commonly Monitored Access Patterns#
| Pattern | Technique | Detection |
|---|---|---|
DS_CONTROL_ACCESS (0x100) on domain root | DCSync (Replicating Directory Changes) | Event 4662 with DS_CONTROL_ACCESS on the domain partition DN from non-DC accounts |
WRITE_DAC (0x40000) | ACL backdoor: attacker grants themselves persistent access | Event 4656/4663 with WRITE_DAC by non-owner/non-admin principals |
WRITE_OWNER (0x80000) | Ownership takeover to bypass ACLs | Event 4656/4663 from non-admin accounts |
GENERIC_ALL (0x10000000) | Full control requested | Unusual when targeting sensitive files, AD objects, or registry keys |
FILE_WRITE_DATA (0x2) on sensitive paths | Data tampering or log clearing | Event 4663 on security-relevant files (e.g. SAM, SYSTEM, SECURITY hives) |
KEY_SET_VALUE (0x2) on Run keys | Registry persistence | Event 4657 on HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and similar |
Related Events#
- Microsoft-Windows-Security-Auditing Event ID 4656: A handle to an object was requested
- Microsoft-Windows-Security-Auditing Event ID 4663: An attempt was made to access an object
- Microsoft-Windows-Security-Auditing Event ID 4657: A registry value was modified
- Microsoft-Windows-Security-Auditing Event ID 4661: A handle to an object was requested (SAM)
- Microsoft-Windows-Security-Auditing Event ID 4662: An operation was performed on an object (AD)