4661 A handle to an AD/SAM object was requested
Written when a handle is requested for an Active Directory object or a SAM object. It captures direct access to the directory or to the SAM (the account database).
Overview
The subcategories are Audit Directory Service Access and Audit SAM. It is generated when a handle is requested to an AD object or a SAM (Security Account Manager: the component holding local/domain account information) object. If access is denied, a Failure event is produced. It is recorded only if Success auditing for Audit Handle Manipulation is enabled.
How it is triggered
- An access request (read, write, enumerate, and so on) to an AD object or the SAM database.
- It occurs mainly on domain controllers and hosts holding account information.
Security review points
- Suspicious access to the SAM database can be a precursor to account enumeration or credential theft (a SAM dump). Check the requesting account and process.
- Broad read requests to AD objects can indicate directory reconnaissance (surveying what accounts and groups exist). Read it together with 4662, which shows the actual operation.
Notes for log review
- Enabling Audit Handle Manipulation raises the volume. Use it narrowly on DCs and important hosts rather than always-on.
- Most access is by legitimate management tools or replication. Baseline the normal patterns of account, process, and requested rights, and watch for deviations.
Key fields
| Field | Meaning |
|---|---|
Object Type / Object Name | The target (AD object / SAM object) |
Accesses / Access Mask | The requested access rights |
Subject\Account Name | The requesting account |
Process Name | The requesting process |