EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4670Audit SuccessSecurityT1222

Windows Event ID 4670Permissions Changed on Object

Logged when the Discretionary Access Control List (DACL) on an object is modified, changing who can access it and with what permissions.

MITRE ATT&CK

Technique

T1222 · File and Directory Permissions Modification

Tactic

Defense Evasion

View on attack.mitre.org →

Why It Matters

Attackers modify DACLs to grant themselves access to restricted objects — Active Directory objects, sensitive files, registry keys, or service binaries — without using the original owner's credentials. This is commonly used for persistence (granting a backdoor account rights to a high-value object) and for privilege escalation (adding write access to a service binary). Unexpected DACL changes on sensitive objects indicate an active attacker manipulating their access.

Key Fields

Object NameWhat object had its permissions changed — focus on AD objects, service binaries, or sensitive directories
Object TypeFile, directory, registry key, or Active Directory object
Subject Account NameWho made the change — unexpected accounts modifying DACLs on privileged objects are a red flag
New Sd / Old SdThe before/after Security Descriptors — compare to identify what access was added or removed

Investigation Tips

  1. 1.DACL changes on Active Directory objects (especially Domain Admins group, AdminSDHolder, or domain root) are high-priority — they can enable DCSync rights or persistent admin-equivalent access.
  2. 2.Check if GenericAll, WriteDACL, or WriteOwner rights were added — these are the most dangerous permissions, effectively granting full control over the object.
  3. 3.Look for the Account Name pattern: legitimate DACL changes come from known admin accounts during change windows. Unexpected accounts or service accounts modifying DACLs deserve immediate investigation.
  4. 4.Is this always malicious? No — DACL changes occur during normal AD administration, software installation, and Group Policy application. Context (account, object, timing) determines severity.
  5. 5.Correlate with Event ID 4662 (directory service access) — attackers who modify AD object DACLs often follow up with direct access to those objects.

Related Event IDs

4662Directory service access — access using the newly granted permissions
4663Object access — file and registry access after DACL modification
4907Auditing settings changed — SACL modification often pairs with DACL changes
4688Process creation — identify the tool used to modify permissions

See Event ID 4670 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects permissions changed on object patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →