Jaa


4662(S, F): An operation was performed on an object.

Event 4662 illustration

Subcategory: Audit Directory Service Access

Event Description:

This event generates every time when an operation was performed on an Active Directory object.

This event generates only if appropriate SACL was set for Active Directory object and performed operation meets this SACL.

If operation failed then Failure event will be generated.

You will get one 4662 for each operation type which was performed.

Note  For recommendations, see Security Monitoring Recommendations for this event.


Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
 <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
 <EventID>4662</EventID> 
 <Version>0</Version> 
 <Level>0</Level> 
 <Task>14080</Task> 
 <Opcode>0</Opcode> 
 <Keywords>0x8020000000000000</Keywords> 
 <TimeCreated SystemTime="2015-08-28T01:58:36.894922400Z" /> 
 <EventRecordID>407230</EventRecordID> 
 <Correlation /> 
 <Execution ProcessID="520" ThreadID="600" /> 
 <Channel>Security</Channel> 
 <Computer>DC01.contoso.local</Computer> 
 <Security /> 
 </System>
- <EventData>
 <Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data> 
 <Data Name="SubjectUserName">dadmin</Data> 
 <Data Name="SubjectDomainName">CONTOSO</Data> 
 <Data Name="SubjectLogonId">0x35867</Data> 
 <Data Name="ObjectServer">DS</Data> 
 <Data Name="ObjectType">%{bf967a86-0de6-11d0-a285-00aa003049e2}</Data> 
 <Data Name="ObjectName">%{38b3d2e6-9948-4dc1-ae90-1605d5eab9a2}</Data> 
 <Data Name="OperationType">Object Access</Data> 
 <Data Name="HandleId">0x0</Data> 
 <Data Name="AccessList">%%1537</Data> 
 <Data Name="AccessMask">0x10000</Data> 
 <Data Name="Properties">%%1537 {bf967a86-0de6-11d0-a285-00aa003049e2}</Data> 
 <Data Name="AdditionalInfo">-</Data> 
 <Data Name="AdditionalInfo2" /> 
 </EventData>
 </Event>

Required Server Roles: Active Directory domain controller.

Minimum OS Version: Windows Server 2008.

Event Versions: 0.

Field Descriptions:

Subject:

  • Security ID [Type = SID]: SID of account that requested the operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.

Note  A security identifier (SID) is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see Security identifiers.

  • Account Name [Type = UnicodeString]: the name of the account that requested the operation.

  • Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include the following:

    • Domain NETBIOS name example: CONTOSO

    • Lowercase full domain name: contoso.local

    • Uppercase full domain name: CONTOSO.LOCAL

    • For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.

    • For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.

  • Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”

Object:

  • Object Server [Type = UnicodeString]: has “DS” value for this event.

  • Object Type [Type = UnicodeString]: type or class of the object that was accessed. Some of the common Active Directory object types and classes are:

  • Object Name [Type = UnicodeString]: distinguished name of the object that was accessed.

Note  The LDAP API references an LDAP object by its distinguished name (DN). A DN is a sequence of relative distinguished names (RDN) connected by commas.

An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:

• DC - domainComponent

• CN - commonName

• OU - organizationalUnitName

• O - organizationName

  • Handle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “4661: A handle to an object was requested.” This parameter might not be captured in the event, and in that case appears as “0x0”.

Operation:

  • Operation Type [Type = UnicodeString]: the type of operation which was performed on an object. Typically has “Object Access” value for this event.

  • Accesses [Type = UnicodeString]: the type of access used for the operation. See “Table 9. Active Directory Access Codes and Rights.” for more information.

  • Access Mask [Type = HexInt32]: hexadecimal mask for the type of access used for the operation. See “Table 9. Active Directory Access Codes and Rights.” for more information.

Access Mask Access Name Description
0x1 Create Child The right to create child objects of the object.
0x2 Delete Child The right to delete child objects of the object.
0x4 List Contents The right to list child objects of this object.
0x8 SELF The right to perform an operation controlled by a validated write access right.
0x10 Read Property The right to read properties of the object.
0x20 Write Property The right to write properties of the object.
0x40 Delete Tree Delete all children of this object, regardless of the permissions of the children. It is indicates that “Use Delete Subtree server control” check box was checked during deletion. This operation means that all objects within the subtree, including all delete-protected objects, will be deleted.
0x80 List Object The right to list a particular object.
0x100 Control Access Access allowed only after extended rights checks supported by the object are performed.
The right to perform an operation controlled by an extended access right.
0x10000 DELETE The right to delete the object.
DELETE also generated when object was moved.
0x20000 READ_CONTROL The right to read data from the security descriptor of the object, not including the data in the SACL.
0x40000 WRITE_DAC The right to modify the discretionary access-control list (DACL) in the object security descriptor.
0x80000 WRITE_OWNER The right to assume ownership of the object. The user must be an object trustee. The user cannot transfer the ownership to other users.
0x100000 SYNCHRONIZE The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state.
0x1000000 ADS_RIGHT_ACCESS_SYSTEM_SECURITY The right to get or set the SACL in the object security descriptor.
0x80000000 ADS_RIGHT_GENERIC_READ The right to read permissions on this object, read all the properties on this object, list this object name when the parent container is listed, and list the contents of this object if it is a container.
0x40000000 ADS_RIGHT_GENERIC_WRITE The right to read permissions on this object, write all the properties on this object, and perform all validated writes to this object.
0x20000000 ADS_RIGHT_GENERIC_EXECUTE The right to read permissions on, and list the contents of, a container object.
0x10000000 ADS_RIGHT_GENERIC_ALL The right to create or delete child objects, delete a subtree, read and write properties, examine child objects and the object itself, add and remove the object from the directory, and read or write with an extended right.

Table 9. Active Directory Access Codes and Rights.

  • Properties [Type = UnicodeString]: first part is the type of access that was used. Typically has the same value as Accesses field.

    Second part is a tree of GUID values of Active Directory classes or property sets, for which operation was performed.

Note  GUID is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.

To translate this GUID, use the following procedure:

  • Perform the following LDAP search using LDP.exe tool:

    • Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX

    • Filter: (&(objectClass=*)(schemaIDGUID=GUID))

      • Perform the following operations with the GUID before using it in a search request:

        • We have this GUID to search for: bf967a86-0de6-11d0-a285-00aa003049e2

        • Take first 3 sections bf967a86-0de6-11d0.

        • For each of these 3 sections you need to change (Invert) the order of bytes, like this 867a96bf-e60d-d011

        • Add the last 2 sections without transformation: 867a96bf-e60d-d011-a285-00aa003049e2

        • Delete - : 867a96bfe60dd011a28500aa003049e2

        • Divide bytes with backslashes: \86\7a\96\bf\e6\0d\d0\11\a2\85\00\aa\00\30\49\e2

      • Filter example: (&(objectClass=*)(schemaIDGUID=\86\7a\96\bf\e6\0d\d0\11\a2\85\00\aa\00\30\49\e2))

    • Scope: Subtree

    • Attributes: schemaIDGUID

Schema search illustration

Sometimes GUID refers to pre-defined Active Directory Property Sets, you can find GUID (Rights-GUID field), “property set name” and details here: https://msdn.microsoft.com/library/ms683990(v=vs.85).aspx.

Here is an example of decoding of Properties field:

Properties Translation
{bf967a86-0de6-11d0-a285-00aa003049e2}
{91e647de-d96f-4b70-9557-d63ff4f3ccd8}
{6617e4ac-a2f1-43ab-b60c-11fbd1facf05}
{b3f93023-9239-4f7c-b99c-6745d87adbc2}
{b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7}
Computer
Private-Information property set
ms-PKI-RoamingTimeStamp
ms-PKI-DPAPIMasterKeys
ms-PKI-AccountCredentials

Additional Information:

  • Parameter 1 [Type = UnicodeString]: there is no information about this field in this document.

  • Parameter 2 [Type = UnicodeString]: there is no information about this field in this document.

Security Monitoring Recommendations

For 4662(S, F): An operation was performed on an object.

Important  For this event, also see Appendix A: Security monitoring recommendations for many audit events.

  • If you need to monitor operations attempts to specific Active Directory classes, monitor for Object Type field with specific class name. For example, we recommend that you monitor all operations attempts to domainDNS class.

  • If you need to monitor operations attempts to specific Active Directory objects, monitor for Object Name field with specific object name. For example, we recommend that you monitor all operations attempts to “CN=AdminSDHolder,CN=System,DC=domain,DC=com” object.

  • Some access types are more important to monitor, for example:

    • Write Property

    • Control Access

    • DELETE

    • WRITE_DAC

    • WRITE_OWNER

      You can decide to monitor these (or one of these) access types for specific Active Directory objects. To do so, monitor for Accesses field with specific access type.

  • If you need to monitor operations attempts to specific Active Directory properties, monitor for Properties field with specific property GUID.

  • Do not forget that Failure attempts are also very important to audit. Decide where you want to monitor Failure attempts based on previous recommendations.