Event 4663: An attempt was made to access an object.
Quick Answer
Event 4663 logs attempts to access files, folders, and registry keys when object auditing is enabled. This event is essential for detecting data exfiltration, unauthorized access to sensitive files, and lateral movement via file shares. High volume requires focused auditing on critical assets only.
Technical Details
Event ID: 4663
Windows Security- Object Access
Event Description
An attempt was made to access an object (e.g., File System, Registry).
Key Log Fields
SubjectUserName- Account attempting accessSubjectDomainName- Domain of the accountSubjectLogonId- Logon ID for correlationObjectType- Type of object (File, Key, etc.)ObjectName- Name or path of the objectHandleId- Handle ID (correlates with 4656)ProcessName- Process attempting accessProcessId- Process IDAccessMask- Access rights used (hex value)AccessList- Textual representation of access performed
MITRE ATT&CK® Mapping (11)
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information. Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550). As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system. For example, on the target host use procdump: * <code>procdump -ma lsass.exe lsass_dump</code> Locally, mimikatz can be run using: * <code>sekurlsa::Minidump lsassdump.dmp</code> * <code>sekurlsa::logonPasswords</code> Built-in Windows tools such as `comsvcs.dll` can also be used: * <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector) Similar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS) Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014) The following SSPs can be used to access credentials: * Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package. * Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection) * Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later. * CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access. A number of tools can be used to retrieve the SAM file through in-memory techniques: * pwdumpx.exe * [gsecdump](https://attack.mitre.org/software/S0008) * [Mimikatz](https://attack.mitre.org/software/S0002) * secretsdump.py Alternatively, the SAM can be extracted from the Registry with Reg: * <code>reg save HKLM\sam sam</code> * <code>reg save HKLM\system system</code> Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7) Notes: * RID 500 account is the local, built-in administrator. * RID 501 is the guest account. * User accounts start with a RID of 1,000+.
Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration. Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.
Event Comparison
Event 4663 logs the access itself. Event 4656 logs when a handle to the object is requested, and 4658 logs when the handle is closed. Event 5145 logs network share access attempts.
What This Event Means
Event 4663 is generated when a user or process attempts to access an audited object such as a file, folder, registry key, or other securable object on a Windows system. This event provides detailed information about what object was accessed, which account performed the access, what type of access was requested (read, write, delete, etc.), and whether the access was granted or denied. While this event can generate significant log volume in busy environments, when properly scoped to critical assets it becomes one of the most valuable events for detecting data theft, unauthorized access to sensitive information, and lateral movement through file shares. Security analysts configure Object Access Auditing (SACL - System Access Control List) on specific high-value targets such as directories containing financial data, personally identifiable information, intellectual property, or administrative tools. The event's access mask field reveals exactly what operations were attempted, allowing analysts to differentiate between benign file listing operations versus actual file content reads or modifications. Common attack scenarios visible through 4663 include attackers enumerating network shares looking for valuable data, exfiltrating files to staging locations, modifying system configuration files, and accessing credential storage locations like SAM or NTDS.dit database files. When combined with network connection events (Sysmon 3), analysts can correlate file access with subsequent network transmission to identify data exfiltration in progress.
Security Implications
- Bulk access to files in sensitive directories indicates potential data exfiltration or ransomware encryption preparation
- Access to credential stores (SAM, NTDS.dit, LSASS memory) reveals credential harvesting attempts
- Unauthorized access to backup directories may indicate attackers trying to prevent recovery after ransomware
- Registry key access for Run keys, Services, or AppInit_DLLs shows persistence mechanism installation
- After-hours access to financial or HR directories from IT accounts should trigger investigation
Detection Strategies
Scope object access auditing to high-value targets rather than auditing everything, which creates unmanageable log volume. Focus on directories containing sensitive data, system configuration locations, and credential storage areas. Alert on bulk file access patterns where a single account accesses hundreds or thousands of files in a short time period. Monitor for access to file extensions commonly targeted for exfiltration (.xlsx, .docx, .pdf, .pst) from accounts that don't normally access those files. Flag access to system directories like System32, Windows, or Program Files from non-administrative accounts. Correlate file access with network connections to detect staging and exfiltration. Track access to backup directories, especially deletion or modification attempts. Establish baseline access patterns for sensitive directories and alert on deviations. Comprehensive SIEM queries and volume management strategies will be provided in subsequent updates.
Note: Comprehensive SIEM detection queries for Splunk SPL, Microsoft KQL, and Elastic Query DSL will be added in future updates.
Real-World Attack Examples
Maze ransomware operators extensively accessed network file shares to identify valuable data for exfiltration before encryption
FIN7 group uses 4663 events to map networks, accessing administrative shares and identifying high-value targets
APT1 campaigns generated distinctive 4663 patterns when accessing and stealing intellectual property from compromised organizations