4664 An attempt was made to create a hard link
Written when an NTFS hard link is created. It is an operation that creates another named entry into a single file, and it can be used for audit evasion or file concealment.
Overview
The subcategory is Audit File System. It is generated when an NTFS hard link (multiple directory entries pointing to the same file content) is successfully created. With a hard link, the same content can be accessed from a different path and name than the original file.
How it is triggered
- When a hard link is created, for example with
mklink /Hor theCreateHardLinkAPI. - It is recorded in environments where File System auditing is enabled on the target.
Security review points
- When auditing or access control is tied to the original file’s path, a hard link can be used to access the content from another name and thereby evade detection or restriction. Check who created the link and with which process.
- Unexpected hard-link creation against important or protected files can be a sign of file concealment or preparation for exfiltration.
Notes for log review
- It does not occur often in normal operation. When it appears, check the target file and the creating process and account.
- Backup software and some legitimate tools use hard links, so baseline out and exclude known legitimate processes.
Key fields
| Field | Meaning |
|---|---|
Subject\Account Name | The account that created the link |
File Name / Link Name | The original file and the created link |
Process Name | The process that performed the creation |
Glossary
- Hard link — multiple names pointing to the same file content; the same content is reachable from any of the names.