EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4907Audit SuccessSecurityT1562.002

Windows Event ID 4907Auditing Settings Changed on Object

Logged when the System Access Control List (SACL) on an object is modified, changing what activity is audited on that object.

MITRE ATT&CK

Technique

T1562.002 · Disable Windows Event Logging

Tactic

Defense Evasion

View on attack.mitre.org →

Why It Matters

Attackers modify SACLs to remove auditing from sensitive objects — LSASS, NTDS.dit, or privileged registry keys — so that their subsequent access does not generate Event ID 4663 or 4657 entries. This is a defense evasion technique that blinds defenders by disabling the very logging that would detect a credential dump. Any unexpected SACL change on a security-sensitive object should be investigated.

Key Fields

Object NameThe object whose audit settings changed — focus on lsass.exe, NTDS.dit, SAM hive, or sensitive registry keys
Object TypeFile, key, or other — indicates what class of object had its auditing changed
Subject Account NameWho changed the SACL — should be a known admin performing authorized configuration
New SdThe new Security Descriptor — a blank or reduced SACL means auditing was removed

Investigation Tips

  1. 1.A SACL change removing auditing from lsass.exe, ntds.dit, SAM, or NTLM-related registry keys is a strong indicator of pre-attack preparation for credential dumping.
  2. 2.Compare Old Sd vs New Sd — removal of audit ACEs (A;;...) indicates auditing was stripped. An empty SACL (no audit entries) means no further access events will be logged for that object.
  3. 3.Is this always malicious? No — SACLs are modified during legitimate system configuration, Group Policy updates, and software installation. Look for unexpected accounts, unusual timing, or sensitive target objects.
  4. 4.Correlate with Event ID 4663 gaps: if you had LSASS access auditing enabled and 4907 shows it was removed, check for a subsequent access window where 4663 would not have fired.
  5. 5.Check Event ID 4688 near the same time for processes running SeSecurityPrivilege (required to modify SACLs).

Related Event IDs

4663Object access — the event that 4907 suppresses when SACL is removed
4657Registry value set — SACL changes to registry keys show here
4688Process creation — identify the process that modified the SACL
4719System audit policy changed — broader audit policy modification

See Event ID 4907 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects auditing settings changed on object patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →