Thursday, January 9, 2020

Event ID 4663 - An attempt was made to access an object

Event ID 4663 - An attempt was made to access an object

Operating System:

  • Windows 2008 R2 and 7
  • Windows 2012 R2 and 8.1
  • Windows 2016 and 10

Log Sample:
{
 "EventTime": "2017/12/02 14:04:12"
 "Hostname": "admin.changeme.local"
 "Keywords": -9214364837600034816
 "EventType": "AUDIT_SUCCESS"
 "SeverityValue": 2
 "Severity": "INFO"
 "EventID": 4663
 "SourceName": "Microsoft-Windows-Security-Auditing"
 "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
 "Version": 1
 "Task": 12800
 "OpcodeValue": 0
 "RecordNumber": 180674944
 "ProcessID": 768
 "ThreadID": 776
 "Channel": "Security"
 "Message": "An attempt was made to access an object."
 "Category": "File System"
 "Opcode": "Info"
 "SubjectUserSid": "S-1-5-21-343361891-1219768270-4058147650-5463"
 "SubjectUserName": "Victoria Le"
 "SubjectDomainName": "MP"
 "SubjectLogonId": "0xe3e3b0a4e"
 "ObjectServer": "Security"
 "ObjectType": "File"
 "ObjectName": "I:\Company\changeme\Sales\General\Service Level Agreement.doc"
 "HandleId": "0xb550"
 "AccessList": "%%1537\r\n\t\t\t\t"
 "AccessMask": "0x10000"
 "ResourceAttributes": "S:AI"
 "EventReceivedTime": "2017/12/02 04:04:12"
 "SourceModuleName": "wineventlog_in"
 "SourceModuleType": "im_msvistalog"
}


This event is logged when an auditing is enabled on an object. Here object can be anything from File, Folder, Key, Service Object, SAM etc. How to enable auditing?

When files, folders and other objects are accessed and operated... this is the actual event that provides valuable information. This event is logged between the open (4656) and close (4658) events for the object being opened and can be correlated to those events via Handle ID.

Event 4656 tells when the object was initially opened and the type of access request but doesn't give positive confirmation of any permission exercised. While 4663 is logged the first time one or more of the requested permissions are actually exercised.  If the program repeatedly exercises a permission while the object is open, Windows only logs 4663 the first time.

Subject User Information:
"SubjectUserSid" -> SID of an account
"SubjectUserName" -> user who logged in
"SubjectDomainName" -> domain name or computer name
"SubjectLogonId" -> This is an semi-unique id, can be correlated back to event id 4624, identifying logon session. Semi-unique in a sense that this is change in each reboot.

Object
  "ObjectType" -> File (for file and folder). Can be SAM, Key etc.
  "ObjectName" -> This is an actual object that was accessed
 "HandleId" -> This is again a semi-unique id that identifies all subsequent audited events while the object is open.  This id is used to correlate to other object access events (Open 4656, Access 4663, Close 4658)
 "ResourceAttributes" -> This is used to classify objects according to any number of things like project, compliance, security level.

Process
 "ProcessName" -> Identifies executable program that accessed an object
 "ProcessID" -> ID specified when the executable started as logged in 4688

Access
  "AccessList" -> Permission Requested
 "AccessReason" -> Permission granted and the reason
 "AccessMask" -> Bitwise equivalent to access. This tied together with AccessList can be used to find different action on files and folders like Delete, Read, Create etc.

No comments:

Post a Comment