An attempt was made to access an object
Specific access (Read, Write, Delete) was performed on a file, registry key, or pipe.
Event ID 4663 is the core operational event for File System and Registry object access monitoring. When SACLs are enabled on critical folders or files, Event 4663 logs exact operations (`WriteData (or AddFile)`, `ReadData`, `Delete`) performed by any `ProcessName` against the `Object Name` (full path).
Failure Reason / Root Cause:
User opening/editing files on network shares, or unauthorized exfiltration/encryption of sensitive financial folders.
Raw Event XML snippet
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4663</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2026-07-17T09:54:44.872Z" />
<EventRecordID>1048576</EventRecordID>
<Correlation />
<Execution ProcessID="612" ThreadID="1024" />
<Channel>Security</Channel>
<Computer>DC01.enterprise.internal</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">SYSTEM</Data>
<Data Name="SubjectDomainName">NT AUTHORITY</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<!-- Event telemetry fields specific to An attempt was made to access an object -->
</EventData>
</Event>MITRE ATT&CK mapping
| ID | Technique | Tactic |
|---|---|---|
T1005 | Data from Local System | Collection |
T1486 | Data Encrypted for Impact | Impact |
Recommended actions
- Enable SACLs on high-value repositories (`C:\SensitiveData\`, `NTDS.dit`) and monitor for Event 4663 `WriteData` operations from non-backup binaries (`ransomware indicators`).