4690 An attempt was made to duplicate a handle to an object
Written when an attempt is made to duplicate an existing object handle. It is an operation that passes one process’s handle to another, and it relates to transferring access rights.
Overview
The subcategory is Audit Handle Manipulation. It is generated when an attempt is made to duplicate a handle to an object (an internal reference representing access to a resource). Duplication lets one process’s handle be usable in another process or context.
How it is triggered
- When an existing handle is duplicated, for example via the
DuplicateHandleAPI. - It is recorded in environments where Audit Handle Manipulation is enabled.
Security review points
- Handle duplication can relate to a technique where an attacker seizes a handle held by a privileged process (especially a process handle to
LSASS) to enable credential theft or privilege escalation. Check the source and target processes. - Together with handle requests 4656 / 4661, track the access path to sensitive objects.
Notes for log review
- Audit Handle Manipulation is very noisy. Do not leave it always on; use it narrowly for specific investigations.
- It is hard to judge alone; evaluate it in the context of the duplicated object and the processes involved.
Key fields
| Field | Meaning |
|---|---|
Source Handle ID / Target Handle ID | The source and target handles |
Subject\Account Name | The account that performed the operation |
Process Name | The process that performed the duplication |