4670 Permissions on an object were changed
Written when the permissions (the DACL: the setting for who can do what) of a file, registry, or token object are changed. It captures tampering with access control.
Overview
The subcategories are Audit File System, Audit Registry, Audit Authentication Policy Change, and Audit Authorization Policy Change. It is generated when an object’s permissions are changed (not when the audit SACL is changed). Generation requires the target’s SACL to have auditing set for “Change Permissions”/“Take Ownership” (Write DAC / Write Owner for the registry).
How it is triggered
- When the
DACL(Discretionary Access Control List: the setting that defines access) of a file, folder, registry key, or token is changed.
Security review points
- Attackers change permissions to add their own access to sensitive files or persistence targets, or to loosen defensive restrictions. Check who changed which permission and how.
- An unexpected DACL change on an important file or registry key can be a precursor to later unauthorized access or backdoor installation. Pay special attention when ownership change (Take Ownership) is involved.
Notes for log review
- It only appears for targets with a SACL set. Design it narrowly on important assets.
- It also occurs during legitimate configuration changes (installers, GPO, administration). Match against normal patterns of the changing subject, target, and change.
Key fields
| Field | Meaning |
|---|---|
Object Name / Object Type | The target whose permissions were changed |
Subject\Account Name | The account that made the change |
Process Name | The process that made the change |
Glossary
- DACL — the setting on an object defining who is allowed or denied which access. It is distinct from the SACL (audit setting).