Auditing settings on object were changed
A System Access Control List (SACL) on an object (`File`, `Registry`, `Service`) was modified.
Event ID 4817 logs when SACL audit policies are changed or stripped from secured objects. Threat actors sometimes strip SACLs from critical registry keys or files so their subsequent modifications generate no `4657` (`Registry modified`) or `4663` (`File accessed`) telemetry (`Audit Blinding`).
Failure Reason / Root Cause:
Modification of SACL security descriptor on `ObjectName`.
Raw Event XML snippet
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4817</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2026-07-17T09:54:44.917Z" />
<EventRecordID>1048576</EventRecordID>
<Correlation />
<Execution ProcessID="612" ThreadID="1024" />
<Channel>Security</Channel>
<Computer>DC01.enterprise.internal</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">SYSTEM</Data>
<Data Name="SubjectDomainName">NT AUTHORITY</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<!-- Event telemetry fields specific to Auditing settings on object were changed -->
</EventData>
</Event>MITRE ATT&CK mapping
| ID | Technique | Tactic |
|---|---|---|
T1562.001 | Impair Defenses: Disable or Modify Tools | Defense Evasion |
Recommended actions
- Inspect `ObjectName` and check if SACLs were removed from critical logging, security, or registry run paths.