4817

Auditing settings on object were changed

A System Access Control List (SACL) on an object (`File`, `Registry`, `Service`) was modified.

Event ID 4817 logs when SACL audit policies are changed or stripped from secured objects. Threat actors sometimes strip SACLs from critical registry keys or files so their subsequent modifications generate no `4657` (`Registry modified`) or `4663` (`File accessed`) telemetry (`Audit Blinding`).

Failure Reason / Root Cause:

Modification of SACL security descriptor on `ObjectName`.

CategoryPolicy Change
Audit typeSuccess Audit
SeverityHigh
Applies toWindows Server 2016, 2019, 2022 / Windows 10, 11
Keywords4817, auditing settings changed, sacl modified, audit blinding, security descriptor altered
Raw Event XML snippet
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4817</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2026-07-17T09:54:44.917Z" />
    <EventRecordID>1048576</EventRecordID>
    <Correlation />
    <Execution ProcessID="612" ThreadID="1024" />
    <Channel>Security</Channel>
    <Computer>DC01.enterprise.internal</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">SYSTEM</Data>
    <Data Name="SubjectDomainName">NT AUTHORITY</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <!-- Event telemetry fields specific to Auditing settings on object were changed -->
  </EventData>
</Event>

MITRE ATT&CK mapping

IDTechniqueTactic
T1562.001Impair Defenses: Disable or Modify ToolsDefense Evasion

Recommended actions

Related events