EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4663Audit SuccessSecurityT1003

Windows Event ID 4663Object Access Attempt

Logged when an attempt is made to access an audited object (file, folder, registry key, etc.). Requires SACL (System Access Control List) to be configured on the object.

MITRE ATT&CK

Technique

T1003 · OS Credential Dumping

Tactic

Credential Access

View on attack.mitre.org →

Why It Matters

File auditing on sensitive directories (e.g. SAM database, LSASS dump paths, credential stores) can reveal data theft or credential dumping attempts.

Key Fields

Object NameThe file or resource accessed
Access MaskWhat type of access was requested — 0x2 (write), 0x10000 (delete) are more sensitive than reads
Account NameWho accessed the object
Process NameWhat process performed the access

Investigation Tips

  1. 1.Enable auditing on sensitive paths: C:\Windows\System32\config, LSASS memory, credential stores.
  2. 2.Access to ntds.dit or SYSTEM hive by non-backup processes indicates credential dumping.

Seeing Event ID 4663 in your own logs? Upload an .evtx file — EventPeeker flags object access attempt automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.

Analyze my logs →

Related Event IDs

4656Handle to object requested — precedes 4663
4688Process that accessed the object

Go deeper: the full Credential Dumping guide

Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.

Read the Credential Dumping guide

See Event ID 4663 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects object access attempt patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →