4663 An attempt was made to access an object
Written when an access right is actually exercised on a file, registry, or kernel object. Unlike 4656, which only shows a request, 4663 shows that an operation was “performed,” making it the centerpiece of file/registry auditing.
Overview
The subcategories are Audit File System, Audit Kernel Object, Audit Registry, and Audit Removable Storage. It is generated only if the object’s SACL (the setting that defines which accesses are audited) has a matching audit entry. The difference from 4656 is that 4656 marks the “access requested” stage while 4663 marks “an access right was actually used.” 4663 has no Failure events.
How it is triggered
- Real access (read, write, delete, and so on) to an audited file, folder, registry key, or removable storage.
- The exercised rights appear in
Accesses/Access Mask.WriteData,Delete,WriteDAC(permission change), andWriteOwner(ownership change) are notable.
Security review points
- Track reads, writes, and deletes of sensitive files by the triple of target (
Object Name), executing account (Subject), and process (Process Name). Emphasize write, delete, and permission-change access in particular. - Monitor writes to removable storage (USB and so on) from a data-exfiltration standpoint.
- Investigate a
Process Nameoutside standard folders or containing a suspicious name likemimikatz. Correlate with the request-stage 4656 and the deletion 4660 to reconstruct the request-to-execution-to-deletion sequence.
Notes for log review
- It only appears for targets with a SACL set. Auditing everything explodes in volume, so design SACLs narrowly on important assets, sensitive folders, and removable media.
- Read access occurs in volume during legitimate work. Narrowing to “change” rights such as write, delete, and permission change makes the investigation scope practical.
- A 4663 on a kernel object has little security meaning and is hard to analyze. Do not audit it without a clear purpose.
Key fields
| Field | Meaning |
|---|---|
Object Name / Object Type | The accessed object and its type |
Accesses / Access Mask | The access rights actually exercised |
Subject\Account Name | The accessing account |
Process Name | The process that performed the access |
Handle ID | The key for matching 4656 / 4660 |