4663

An attempt was made to access an object

Specific access (Read, Write, Delete) was performed on a file, registry key, or pipe.

Event ID 4663 is the core operational event for File System and Registry object access monitoring. When SACLs are enabled on critical folders or files, Event 4663 logs exact operations (`WriteData (or AddFile)`, `ReadData`, `Delete`) performed by any `ProcessName` against the `Object Name` (full path).

Failure Reason / Root Cause:

User opening/editing files on network shares, or unauthorized exfiltration/encryption of sensitive financial folders.

CategoryObject Access
Audit typeSuccess Audit
SeverityMedium
Applies toWindows Server 2016, 2019, 2022 / Windows 10, 11
Keywordsobject accessed, file modified, writedata, readdata, sacl, file share monitoring
Raw Event XML snippet
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4663</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2026-07-17T09:54:44.872Z" />
    <EventRecordID>1048576</EventRecordID>
    <Correlation />
    <Execution ProcessID="612" ThreadID="1024" />
    <Channel>Security</Channel>
    <Computer>DC01.enterprise.internal</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">SYSTEM</Data>
    <Data Name="SubjectDomainName">NT AUTHORITY</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <!-- Event telemetry fields specific to An attempt was made to access an object -->
  </EventData>
</Event>

MITRE ATT&CK mapping

IDTechniqueTactic
T1005Data from Local SystemCollection
T1486Data Encrypted for ImpactImpact

Recommended actions

Related events