4660 An object was deleted
Written when a file, registry, or kernel object is deleted. Its strength is that it appears only on a real delete, but it carries no object name, only a handle ID.
Overview
The subcategories are Audit File System, Audit Kernel Object, and Audit Registry. It is generated only if the object’s SACL has “Delete” auditing set. This event does not include the deleted object’s name, only the Handle ID. So to identify what was deleted, match it against the 4656 (handle request with DELETE) of the same handle.
How it is triggered
- When an audited file, registry key, or object is actually deleted.
- Unlike 4663, which also fires on renames and such, 4660’s advantage is that it is generated only on a true delete operation.
Security review points
- Use it to detect deletion (destruction or concealment) of evidence, backups, and important files. Tie the
Handle IDto 4656 to determine the deleted object’s name. - If a single process or account produces many deletions in a short time, suspect destructive activity by ransomware or a wiper.
Notes for log review
- Without an object name, 4660 is hard to read on its own. Always read it paired with the 4656 of the same
Handle IDto fill in what was deleted. - It only appears for targets whose SACL includes delete auditing. Set it narrowly on important assets.
Key fields
| Field | Meaning |
|---|---|
Handle ID | The handle of the deleted object; the key for matching 4656 |
Subject\Account Name | The account that performed the deletion |
Process Name | The process that performed the deletion |