EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4663Audit SuccessSecurityT1003

Windows Event ID 4663Object Access Attempt

Logged when an attempt is made to access an audited object (file, folder, registry key, etc.). Requires SACL (System Access Control List) to be configured on the object.

MITRE ATT&CK

Technique

T1003 · OS Credential Dumping

Tactic

Credential Access

View on attack.mitre.org →

Why It Matters

File auditing on sensitive directories (e.g. SAM database, LSASS dump paths, credential stores) can reveal data theft or credential dumping attempts.

Key Fields

Object NameThe file or resource accessed
Access MaskWhat type of access was requested — 0x2 (write), 0x10000 (delete) are more sensitive than reads
Account NameWho accessed the object
Process NameWhat process performed the access

Investigation Tips

  1. 1.Enable auditing on sensitive paths: C:\Windows\System32\config, LSASS memory, credential stores.
  2. 2.Access to ntds.dit or SYSTEM hive by non-backup processes indicates credential dumping.

Related Event IDs

4656Handle to object requested — precedes 4663
4688Process that accessed the object

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 4663

See Event ID 4663 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects object access attempt patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →