Event ID 4670 - Permissions on an object were changed
Operating System:
- Windows 2008 R2 and 7
- Windows 2012 R2 and 8.1
- Windows 2016 and 10
Log Sample:
{
"EventTime": "2017/12/03 14:04:12"
"Hostname": "adc1.changeme.com"
"Keywords": -9214364837600034816
"EventType": "AUDIT_SUCCESS"
"SeverityValue": 2
"Severity": "INFO"
"EventID": 4670
"SourceName": "Microsoft-Windows-Security-Auditing"
"ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
"Version": 0
"Task": 13570
"OpcodeValue": 0
"RecordNumber": 2975455205
"ProcessID": 772
"ThreadID": 780
"Channel": "Security"
"Message": "Permissions on an object were changed."
"Category": "Authorization Policy Change"
"Opcode": "Info"
"SubjectUserSid": "S-1-5-18"
"SubjectUserName": "GH2DCS-ADC1"
"SubjectDomainName": "logpoint"
"SubjectLogonId": "0x3e7"
"ObjectServer": "Security"
"ObjectType": "Token"
"ObjectName": "-"
"HandleId": "0x4bec"
"OldSd": "D:(A;;GA;;;SY)(A;;GA;;;NS)"
"NewSd": "D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-86-6462-6297-207457-5572-367)"
"ProcessName": "C:\Windows\System32\svchost.exe"
"EventReceivedTime": "2017/12/03 14:04:12"
"SourceModuleName": "wineventlog_in"
"SourceModuleType": "im_msvistalog"
}
This event is logged when an auditing is enabled on an object. Here object can be anything from File, Folder, Key, Service Object, SAM etc. How to enable auditing?
This event is logged when the access control list on an object is changed and identifies object, who changed the permissions and the old an new permissions.
Object's audit policy must have auditing enabled for "Write DAC"/"Change Permissions" or "Take Ownership" permissions for the user who just modified this object's access control list or a group to which the user belongs. Also, this event is logged based on the status of the Object Access subcategory - not the status of "Authorization Policy Change" subcategory. For instance to log this event for file permission changes, the "File System" subcategory must be enabled for success.
This event is NOT logged when Active Directory object permissions are changed.
Subject User Information:
"SubjectUserSid" -> SID of an account
"SubjectUserName" -> user who logged in
"SubjectDomainName" -> domain name or computer name
"SubjectLogonId" -> This is an semi-unique id, can be correlated back to event id 4624, identifying logon session. Semi-unique in a sense that this is change in each reboot.
Object
"ObjectType" -> File (for file and folder). Can be SAM, Key etc.
"ObjectName" -> This is an actual object that was accessed
"HandleId" -> This is again a semi-unique id that identifies all subsequent audited events while the object is open. This id is used to correlate to other object access events (Open 4656, Access 4663, Close 4658)
"ResourceAttributes" -> This is used to classify objects according to any number of things like project, compliance, security level.
Process
"ProcessName" -> Identifies executable program that accessed an object
"ProcessID" -> ID specified when the executable started as logged in 4688
Permission Change
"OldSd" -> The old ACL of the object in SDDL format
"NewSd" -> The new ACL of the object in SDDL format
This event is logged when the access control list on an object is changed and identifies object, who changed the permissions and the old an new permissions.
Object's audit policy must have auditing enabled for "Write DAC"/"Change Permissions" or "Take Ownership" permissions for the user who just modified this object's access control list or a group to which the user belongs. Also, this event is logged based on the status of the Object Access subcategory - not the status of "Authorization Policy Change" subcategory. For instance to log this event for file permission changes, the "File System" subcategory must be enabled for success.
This event is NOT logged when Active Directory object permissions are changed.
Subject User Information:
"SubjectUserSid" -> SID of an account
"SubjectUserName" -> user who logged in
"SubjectDomainName" -> domain name or computer name
"SubjectLogonId" -> This is an semi-unique id, can be correlated back to event id 4624, identifying logon session. Semi-unique in a sense that this is change in each reboot.
Object
"ObjectType" -> File (for file and folder). Can be SAM, Key etc.
"ObjectName" -> This is an actual object that was accessed
"HandleId" -> This is again a semi-unique id that identifies all subsequent audited events while the object is open. This id is used to correlate to other object access events (Open 4656, Access 4663, Close 4658)
"ResourceAttributes" -> This is used to classify objects according to any number of things like project, compliance, security level.
Process
"ProcessName" -> Identifies executable program that accessed an object
"ProcessID" -> ID specified when the executable started as logged in 4688
Permission Change
"OldSd" -> The old ACL of the object in SDDL format
"NewSd" -> The new ACL of the object in SDDL format
No comments:
Post a Comment