Thursday, January 9, 2020

Event ID 4656 - A handle to an object was requested

Event ID 4656 - A handle to an object was requested

Operating System:

  • Windows 2008 R2 and 7
  • Windows 2012 R2 and 8.1
  • Windows 2016 and 10

Log Sample:
{
"EventTime": "2017-12-02 11:05:17"
  "Hostname": "admin.changeme.com"
 "Keywords": -9214364837600034816
 "EventType": "AUDIT_SUCCESS"
 "SeverityValue": 2
 "Severity": "INFO"
 "EventID": 4656
 "SourceName": "Microsoft-Windows-Security-Auditing"
 "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
 "Version": 1
 "Task": 12800
 "OpcodeValue": 0
 "RecordNumber": 226819
 "ProcessID": 488
 "ThreadID": 496
 "Channel": "Security"
 "Message": "A handle to an object was requested."
 "Category": "File System"
 "Opcode": "Info"
 "SubjectUserSid": "S-1-5-21-3847885611-993090441-4211331690-500"
 "SubjectUserName": "Administrator"
 "SubjectDomainName": "changeme"
 "SubjectLogonId": "0x23bb2"
 "ObjectServer": "Security"
 "ObjectType": "File"
 "ObjectName": "C:\Users\Administrator\Desktop\Test Document.txt"
 "HandleId": "0x11cc"
 "ResourceAttributes": "-"
 "TransactionId": "{00000000-0000-0000-0000-000000000000}"
 "AccessList": "%%1538%%4423"
 "AccessReason": "%%1538:%%1804%%4423:%%1801"
 "AccessMask": "0x20080"
 "PrivilegeList": "-"
 "RestrictedSidCount": "0"
 "ProcessName": "C:\Windows\explorer.exe"
 "EventReceivedTime": "2017-12-02 11:05:18"
 "SourceModuleName": "wineventlog_in"
 "SourceModuleType": "im_msvistalog"

 }


This event is logged when an auditing is enabled on an object. Here object can be anything from File, Folder, Key, Service Object, SAM etc. How to enable auditing?

After an audit is enabled and an application attempts to access an object, this is the first logged event. However, the access needs to be in such a way that it matches audit policy defined for that object like what type of access is being requested? who is requesting the access? There will either be Audit Success or Audit Failure depending on the permission level of set for the user account under which an account is running.

In the example above explorer.exe running as Administrator successfully opened "Test Document.txt" for Read access. (There are numeric value seen when you view the AccessList in example above. Each value has specific meaning.)

It is to be noted that this event does not always mean any access successfully requested was actually exercised. It just gives an information of successfully event. However, if requirement is to determine any permissions requested were actually exercised or not, look for event id 4663 that has the same handle id as this 4656 event.

Subject User Information:
"SubjectUserSid" -> SID of an account
"SubjectUserName" -> user who logged in
"SubjectDomainName" -> domain name or computer name
"SubjectLogonId" -> This is an semi-unique id, can be correlated back to event id 4624, identifying logon session. Semi-unique in a sense that this is change in each reboot.

Object
  "ObjectType" -> File (for file and folder). Can be SAM, Key etc.
  "ObjectName" -> This is an actual object that was accessed
 "HandleId" -> This is again a semi-unique id that identifies all subsequent audited events while the object is open.  This id is used to correlate to other object access events (Open 4656, Access 4663, Close 4658)
 "ResourceAttributes" -> This is used to classify objects according to any number of things like project, compliance, security level.

Process
 "ProcessName" -> Identifies executable program that accessed an object
 "ProcessID" -> ID specified when the executable started as logged in 4688

Access
  "AccessList" -> Permission Requested
 "AccessReason" -> Permission granted and the reason
 "AccessMask" -> Bitwise equivalent to access. This tied together with AccessList can be used to find different action on files and folders like Delete, Read, Create etc.

It is recommended to use event id 4663 for correlation of different operation for files and folders.

No comments:

Post a Comment