Skip to content

4662 An operation was performed on an object

Written when an operation is performed on an Active Directory object. It is a cornerstone of AD monitoring, usable to detect DCSync (an attack that steals domain credentials via a replication request).

Overview

The subcategory is Audit Directory Service Access. It is generated only if an appropriate SACL is set on the target AD object and the performed operation matches that audit condition. If the operation fails, a Failure event is produced. One event is generated per operation type. The key to reading it is the Properties field, which lists the GUIDs of the accessed attributes or extended rights.

How it is triggered

  • When an audited operation, such as reading, writing, or exercising an extended right on an AD object, is performed.
  • It is generated on domain controllers.

Security review points

  • DCSync detection: an attacker abuses GetNCChanges of the MS-DRSR (directory replication) protocol to impersonate a DC and request replication of credentials. This is run by tools like mimikatz’s lsadump::dcsync. Suspect DCSync if 4662 requests these extended-right GUIDs:
    • 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes)
    • 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes-All)
  • The key is that the subject is not a machine account (ending in $). Legitimate DC-to-DC replication uses machine accounts, so a user account requesting these rights is highly suspicious. The AccessMask is typically 0x100 (control access).
  • Together with handle request 4661, track reconnaissance and attribute access against AD.

Notes for log review

  • DCs produce these in volume from legitimate operations and replication. They are unusable raw; the event only works as DCSync detection once narrowed by conditions like “replication GUID + non-machine account.”
  • Reading the Properties GUIDs directly is heavy. Maintain a dictionary of GUIDs of interest (such as the replication rights above) and match against it.

Key fields

FieldMeaning
Subject\Account NameThe account that performed the operation; a non-$ user is notable
Object ServerDS (directory service)
PropertiesThe GUIDs of accessed attributes / extended rights
Access MaskThe access performed; 0x100 is control access

Glossary

  • DCSync — an attack that abuses domain controller replication to steal password hashes and other data from other DCs via a replication request.

References